Posted on 2024-06-06 by Nathan Jarvie in Certifications
Introduction
Oops, I did it again.
I did a new course, got lost learning new things.
Oh baby, baby,
Oops, I passed all the tests
Got a new web app cert
Now I’m certified (Bug Bounty Hunter)
2024 is an interesting time for certifications in the cybersecurity industry. A lot of new certifications are appearing from all over the place and it’s difficult to determine whether the provider is genuinely trying to help the industry grow or just out to make a cash grab.
I spend a lot of time on various Discord channels and hear a lot of opinions about the courses that are released, and while some of these are good, the majority of feedback about recent courses is bad. That a lot of the content is AI generated garbage and that the final exam for a the certification is buggy, broken, or irrelevant to the course content.
That said, I had heard good things about HackTheBox’s recent foray into the certification space and was keen to try it out myself. This also aligned with my self-imposed 2024 challenge to do a web app certification. So earlier this year I bought myself some “cubes” and got started working through their Bug Bounty Hunter career path.
What is it?
HackTheBox (HTB) have been known for years as a training ground and CTF platform. More recently they have spun up a new platform designed to teach, more than to challenge. The HTB Academy platform consists of “modules” that you can purchase with their currency. Each module focuses on a specific topic and will guide the user through how it works and how to execute it.
Modules can be accessed in a few ways. Either through a subscription (either annual or monthly) or through the purchase of “cubes”. Most modules will refund a portion of the cubes on completion so the actual cost of a whole path is less than described.
Buying the course outright will cost about 1200 “cubes” which is about USD$120 and the exam voucher is USD$210. However, subscriptions are available that can bring the cost down significantly.
Students can access a heavily discounted subscription of USD$8 per month which gives access to all the relevant modules. You will need to register using your school/university email address to be eligible.
For those who are not students, there are different subscription models available in both annual (which includes an exam voucher) or monthly, which is just an allocation of cubes for you to use as you wish. If you want to be sneaky about it, you could sign up for a month of Platinum (USD$68) and then cancel it, and sign up again for a month of Silver (USD$18) to get your 1200 cubes for a discounted rate.
Once you have your cubes (or subscription), you can enrol in a Skills Path which will outline the modules required for each certification.
In this case I enrolled in the Bug Bounty Hunter career path in order to go for my Certified Bug Bounty Hunter (CBBH).
Who is it for?
The HTB Academy has a variety of modules covering offensive and defensive security, as such it can be a valuable resource to anyone in the infosec space. They even have a certification for SOC analyst which is pretty cool.
But you clicked on this blog because it’s about CBBH so lets talk about that. The Bug Bounty Hunter career path and the associated certification is aimed at beginner web app security testers and developers looking to expand their skills into secure software development. That being said, I feel that intermediate level web app testers will still get something out of this course. (I did)
The Course
The course itself is well written and each module is well explained and demonstrated. The topics covered in the course are aimed at a beginners looking to get into web application security, but do not let that fool you into thinking it’s easy. While some of the modules cover the basic elements of web applications and are generally quick to work through, others delve quite deeply into some edge cases that can be confusing to understand on the first read through.
It’s clear the course content writers have thought about this and in true HackTheBox style, the module topics are demonstrated using an environment you can spin up and test for yourself. This allows you to follow along as you read and understand the materials which is important to grasp the more complicated topics. On completion of the topic lab you will be rewarded with a flag or a question which you will need to submit to move on to the next topic.
At the end of each module is a skills assessment. Unlike the module topics, the skills assessment does not provide any hints. You must use the skills described in the module to capture the flag and complete the challenge. In most cases, this is a good demonstration of the module content and leaves you with a boost to your self-confidence when you finally get it.
These skills assessments vary in length and difficulty. If you get properly stuck you can try the HTB Discord channel or the forums for a friendly nudge.
The Good
The course content is well written and comprehensive. Each topic is detailed and gives the student a good understanding of the concept and how it can be abused. Efforts have been made to not only demonstrate the technique but, where possible, explain what vulnerable code looks like, why it is vulnerable, and some practical methods to mitigate the risk. This is something I have found is missing from other courses I have completed in the past (such as PEN-200’s web section and eWPT).
I really enjoyed most of the skills assessments and found them to be great learning experiences.
I also like that you get to keep the content and all updates to the modules you have purchased as part of the course. You have access to them for life once purchased including any updates made. They can be a good reference for times when I feel a little out of practice with a technique.
The Bad
There are a few things I would like to highlight that I found were a bit jarring.
The first is that the entire course is text based. While this is incredibly useful for searching for information, it makes the learning process a little tiring for me. There were weeks when I simply didn’t have the time to read page after page of information, but I still wanted to progress, if even just a little. I would like to see some videos covering the major topics. Even if they are the same as the text. Just to break up the monotony of reading page after page of text or for cramming/refreshing the topic. Additionally, there are some topics that are touched on, but not covered in this skill path that I think are important (such as blind SQLi). But they are available in the Senior Web Security Expert path, so I guess I will have to do that one too.
I also have a bit of an issue with some of the skills assessments. While most of them were interesting and challenging, some of them felt out of place and unnecessarily difficult or convoluted. After reading the module thoroughly, understanding all the topics and passing all the topic challenges with relative ease, it felt very jarring to hit the skills assessment and be stuck on it for 3-6 hours (or more!). In a few cases I had to resort to checking the forums or Discord for a nudge only to find out that many people were stuck in the same place and the answer involved quite a bit of guessing/brute-forcing, which was not the subject of the assessment. It feels like more details could be provided at the beginning or during the assessment to get you on the right path instead of punishing you with a “Try Harder” approach while you are trying to learn.
The Exam
In order to sit the Certified Bug Bounty Hunter (CBBH) exam, the candidate must first complete the entire Bug Bounty Hunter skills path to 100%. That includes all modules, their labs, and the skills assessments. Once complete, you will be able to activate your exam voucher and enter the exam.
It is worth noting here that you do not have to book your exam in. Once you enter the exam, the timer starts and you are off. So be prepared BEFORE you click that button. You cannot cancel and active exam session and you will lose your attempt. But not to worry! the voucher includes one free exam retake.
When you enter the exam portal you are presented with the Rules of Engagement and an ominous countdown in the corner. The Rules of Engagement describes the instructions for the exam and should be read very carefully, multiple times. It describes:
- The scenario
- The in-scope targets
- The requirements to pass the exam
- Targets that are explicitly out of scope
- A report template for you to download
Otherwise, the exam portal should look familiar. There is a panel to access your OVPN file or spawn your Pwnbox instance if you prefer, and a panel to enter your flags.
You are given 7 days from the time you enter the exam to complete the exam. This requires you to capture 80 points of a possible 100, and to submit a professionally written report complete with the attack chain(s) used, all vulnerabilities discovered and their remediation.
Ideally, you should spend up to 5 days on testing and 2 days on the report.
The report itself should be in a format in which the reader could copy and paste your proof-of-concept or can follow along with your work. You can make good use of Burp Suite’s “Copy as cURL” command here then modify the command to clean it up. Best practice is to remove anything that is not essential for better readability (e.g. extra headers and data).
If you fail to reach the required number of points, submit a report with your findings as they are. The HTB certification team will provide you with some feedback and a nudge for your next attempt. A free retake is included in the exam voucher, however it must be started within 14 days of receiving your feedback.
The exam itself is challenging but fair. I spent a lot of time down rabbit holes and chasing my tail. However, once I settled down and used a more methodical approach, I was able to rack up the points I needed quite quickly. It was definitely one of the more difficult exams I have done, but in hindsight everything was completely fair and reasonable.
Advice for students
Here are some tips that may be useful for the exam.
- Get comfortable using command-line tools and Burp Suite/ZAP. Do not rely on only one tool for the whole course. It will bite you in the arse later if it has issues.
- Everything you need for the exam is in the course. Spend time making some cheat sheets, checklists or quick reference guides to make your exam experience a bit easier.
- Use the search feature! The exam is open book. You can use any resources available to you, including the modules themselves. If you come across a service, look it up in the search feature to find a module you have and read about it. But stay within the scope of the course!
- Think creatively. The course gives you everything you need to pass but it doesn’t give it to you in a copy-paste manner. Make sure you understand the concepts and read all the additional information in the module. There are lots of extra nuggets of information throughout the modules that refer to edge cases or alternate configurations.
- Time management is important. You have multiple goals to achieve in the time frame and jumping around randomly from one to another is not an efficient use of your time. Investigate a target, note everything of interest, have a crack at it. After a period switch to a new target and work through that one. Give yourself time for breaks, eating and sleeping. The amount of times in exams when the answer has come to me when resting is amazing. I should do all my exams in bed.
- Take notes throughout the exam. Make a checklist of things you have tried and what you want to try next. Work through it methodically.
- It’s ok to repeat a technique. I found a few times I tried something and it didn’t work, only to come back to it later and try it again from scratch to find that it was the correct path all along. Sometimes we get lost in the weeds and make changes we forget about which breaks the attack.
Conclusion
I think that HTB did a good job of creating a course that covered most of the basics and some of the more complex topics of web application security. The exam is fair but not easy. Given that good courses in web app security are few and far between, and good quality exams that are not just metasploitable/Juice Shop/bWAPP reskins are even rarer. HackTheBox have done a great job in making an environment that feels like a real web test.
I will recommend this course to anyone who wants to make a start in web app security.
As always, if you have any questions, please feel free to reach out to me on my socials.
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn