Introduction
Hack the Box have a couple of certifications, the Certified Penetration Testing Professional (CPTS), and the Certified Bug Bounty Hunter (CBBH). This post will be covering the CBBH.
CBBH is a web application hacking certification, with an associated course.
The Course
The course material was really good, and I learnt a few tricks from it. It’s predominately focused up manually testing web applications rather than just running tools against them. The syllabus can be found here, but it’s essentially OWASP Top 10 type stuff (as you would expect). The key knowledge domains being;
- Bug Bounty Hunting processes and methodologies
- Web application/web service static and dynamic analysis
- Information gathering techniques
- Web application, web service and API vulnerability identification and analysis
- Manual and automated exploitation of various vulnerability classes
- Vulnerability communication and reporting
The course is split into 20 modules. Small exercises are scattered throughout the material to reinforce your understanding of the content, with each module ending in a challenge to test your understanding of the techniques used in unison. These challenges can be completed either using your own system and connecting to HTB servers using a VPN, or entirely in a web browser where your given remote access to a Parrot Security virtual machine.
The course modules are shared between different “skill paths”. These are essentially courses, that contain modules. So if you complete the web app modules in the CBBH, you won’t have to relearn the same information in the CPTS.
It’s worth noting there is a CREST CCT APP skill path, and completing the CBBH accounts for around 40% of that path. So the CCBH could be a good starting point when preparing for CREST exams.
It took me a couple of months to go through the material in my spare time, I think this would be similar for most people.
I did encounter a couple of issues with the material;
- Hints are provided for challenges. I tried not to use these, but some challenges require you to use the hint button. I think if information is required, it shouldn’t be part of the hint system.
- A few of the exercises didn’t really make a lot of sense even after completing them and required looking at the forum for assistance.
Another thing which needs mentioning is the pricing model, which is unusual. You unlock course modules using “cubes”, which is their currency. Cubes are purchased using real money, either on a subscription basis or as a one off purchase. Modules have different cube requirements, and therefore different pricing. Some modules reward you with cubes for completing challenges.
If you go down the route of buying cubes as a subscription or individually, you will still need to buy an exam voucher for £150. The exam vouchers provide two attempts.
I think it’s understandable to be confused by the pricing model. It does feel like they’re one loot box away from becoming the next Electronic Arts at this point.
However, compared to similar training it does work out as relatively inexpensive, and it does give you the ability to pick and choose what content your interested in.
The Exam
The exam is pretty standard for a penetration testing exam. Compromise systems to get points, then write a report afterwards. It aligns with the course material, but can require some out of the box thinking to combine techniques in unusual ways.
Obviously I can’t say much more than that without spoiling it.
The issue I have with the exam is the time it takes to complete. You have seven days to finish the exam and write the report. This essentially rules a lot of people out, assuming your employer isn’t willing to let you have the time off to do it. I hope they consider shortening the length of exams in future.
In Summary
I would recommend the course if you want to learn more about black box web application penetration testing. I think it’s also a useful resource for going through Hack the Box challenge machines. The pay as go you model means you haven’t got a lot to lose by trying it out.
The exam is good, provided you can find the time for it. Being a newer certification, it doesn’t have the same industry recognition as more established certifications, but that might come over time given how well known Hack the Box are in the industry.