Certified Bug Bounty Hunter: Should you go for Broke, or take a Junior Level Certification First

19 min readApr 1, 2024

This blog is mainly for those just starting out and curious if jumping straight into HackTheBox certifications is the right for you. For those who want to skip straight to the title content, I don’t blame you: {https://arc.net/l/quote/bncihvjs}

New to blogging, and new to Hacking, my imposter syndrome (or what I call Imposter Demon) threatened the probability of this blog ever seeing the light of day. But, starting my first blog in this way puts the demon not in my rear-view but directly in the chair next to me, forcing it to watch as I break its chains that all of us experience in our respective domains. Hi, my name is Amar Redzepagic, and the past 4 months have been the most entertaining, insightful, and especially difficult period of my life. In this blog, I’ll write about my experiences with both the PJWT & CBBH, whether or not you should take one before the other, and how they compare in terms of difficulty, requirement, and worth.

Authentic or just Full of Sh**

While figuring out how to write this blog, I didn’t think to touch on my personal journey at all. My ego is secretly big — as I think all of our’s are — but not that big. “No one is going to care, just write the review and publish it”, I thought to myself; and, that could very well be the case. But regardless of the outcome here, if this helps even one person who is looking for a little bit more than just the technical advice (which we go into below), it will have been well worth it. And, this wouldn’t be an authentic blog if I didn’t admit the selfish part: that I needed to prove to myself I wasn’t full of sh*t — and that I really have found what I want to do for the rest of my life.

Shameless Plug:

Publishing this, is just part of the beginning of a series of Blogs I plan on posting about the all things hacking — including the Bug Bounty Hunter (job roll path). I plan to do weekly write-ups on some of the more difficult modules (in my opinion) to help those currently going through the path.

Review Before Results?

First disclaimer (of many): I’ve only recently submitted my CBBH report, which means that I am currently awaiting the report portion of the results. I told you I had an ego, but in fact, it has nothing to do with confidence — think of this blog more as a big middle-finger to my Imposter Demon and a small thank you to the hacking community in general. I’ve learned that a Hacker is only as good as their community & network. So, I feel that now it’s my turn to start paying it forward.

Now to provide some Proof-of-Concept against any potential fluff, I might have unintentionally given off, I’ll humbly admit that my input may be of some use to anyone looking for some insight. Simply from the fact that during the CBBH exam, you’ll know if you’ve passed the “technical” portion or not off the bat. I’m not sure the boundaries here so I’ll keep it pretty vague, but I’ll hint that it’s pretty similar to the academy modules and how you progress through them. That said, I’m happy to say that I got enough points to pass the technical portion of the exam. However, that’s where I’ll stop because that’s only half the work, the report is arguably just as difficult and important. It’s the part that validates whether or not you’re real-world ready. I’ll be posting an update on my LinkedIn & Medium accounts on my results when they come in (crossing fingers).

Everything comes in Threes

Before we begin, I’d like to say that many people have helped me along the way, whether through words of encouragement or just virtual study buddies. I’m afraid it isn’t possible to list all of you here, however you know who you are, and thank you. That said, allow me to address 3 specific individuals who are directly — or indirectly — responsible for me finding my authentic love for Hacking and why I can call myself a Hacker today. Out of respect for their privacy I won’t be using their real names, but referring to them by their Hacker names instead.

November 30th, 2023, I met my Mentor & who has now become my dear friend, Ronin. I wouldn’t be writing this blog today, if not for him. He helped me realize I wasn’t being authentic about my approach and I was not “acting like I belong”. This man, what he has done for me & potentially my family, cannot be stated in one paragraph. His influence on me and the impact that it has made on my life deserves a separate blog entirely, which I’ll publish sometime next week: “The Mentor You Need vs The Mentor You Want”. There, I will go further into depth on how important it is to find the “Right” mentor. Oh, not to mention, Ronin is a really bad A$$ hacker, which makes talking about him feel like a flex on my part!

Next up, SecretAsianMan. Oh, how I love to hate this guy. He’s one of those people that make hard things look easy. He’s also Chargers Fan ( yuck ), but I genuinely admire him, not just as a Hacker but as one of the most kind hearted, genuine people, I’ve ever met in my life. He’s directly responsible for me starting out in the first place, and also indirectly responsible for me crossing paths with my Mentor and the 3rd individual below. One story I always bring up when I talk about him (if he’s reading this, he knows what I am about to say ) is how he came to my house with a Windows XP in 2020, and if my memory recalls correctly, he didn’t even know how to open Windows Task Manger via keyboard shortcuts. I knew his intellect was way about average, but at that time he had very little technical experience. Despite all that, he looked at me and said “Yeah, I think I’m going to be a hacker”. Okay, pal whatever you say . . . Sure enough, less than a year, not only did he pass the eWPTv1 ( when it had the report ) but began doing professional contracting Penetration Tests. So, you’re correct to think that by now he’d make Senior Penetration Tester (under 5 years might I add) at the company he is currently working for. He’s an example of someone that excels in anything they do, which p*sses me off, and also — I couldn’t be more proud of him; even more than that, to call him one of my best friends.

Finally, we’ve reached the third shoutout, Garr. Which, I don’t have the pleasure of knowing as intimately as I’d like, but unannounced to him (yet), to say that he has been an inspiration in my journey would be an understatement. My Mentor(Ronin) once showed me a documentary about a hacker named Kingpin. I’m sure some of you have heard of the name before. Well, while watching this documentary about Kingpin hacking a bitcoin locker, I felt an unsettling “awe” sensation that I only experienced twice since my journey. Once during the Kingpin documentary, the other was when I first watched Garr hack & educate his community on stream. Let me be clear, It wasn’t a negative feeling whatsoever, but more of a signal that there was something I needed to address internally within myself. Both Garr & Kingpin radiate this internal peace that made me uncomfortable at the time. Watching them also provided me a reassuring warmth about the future, but at the time I didn’t know why. It was while re-watching the documentary — only days before taking the PJWT — and with the assistance of my Mentor — through our daily discussions — that I was able to articulate what that unsettling feeling was. Garr & Kingpin are examples of what it looks like to be 100% authentic with yourself, and what it looks like to have a sense of genuine fulfillment in what you do. To elaborate, there are those who hack because it pays the bills, then there are those who want to become hackers for the respective income it presents; And then, there are the 2% which become hackers because it is what they were meant to do. Their passion & love for what they do reminds me of what childhood felt like. So with that said, watching Kingpin & Garr hack, and through personal disintegration with my mentor — and may I add, by interacting with the hacking community, I realized that I had been going about this the wrong way. That realization felt like a “switch” was flipped; I realized the love they had for hacking — I had too. And, I was simply to inexperienced and afraid to allow myself to realize it before. Don’t get me wrong, I am not comparing myself to them whatsoever. Its quite possible that I will never become the hackers they are, nor am I naive enough to think its even a “sure” possibility. But I can confidently say — that thanks to my mentor, best friend SecretAsianMan, and of course — by watching Garr do what he does — I have become 100% authentic with hacking & myself again. I can now say, without a shred of doubt, that — yeah — I’m a Hacker, and I will be for the rest of my life. God, that feels great to say.

Are we there yet?

Yes — yes we are. The above was mandatory, and still isn’t enough to describe my gratitude but alas, we’ve made it to the part you all came here for. Those of you who’ve read all the content above, thank you for suffering through the chaos that is my stream of consciousness. And, to those of you who clicked the “skip” link from the start, F*** you. Just kidding, just kidding! Welcome, and I appreciate you guys for stopping in to read the blog.

TCM-Security’s Practical Junior Web Tester

February 28th, 2024, I passed the Practical Junior Web Tester certification (PJWT) from TCM-Security. To my surprise — and I hardly have the credentials to think so, I’ve had a number of aspiring penetration testers reach out to me on LinkedIn asking me if they should go for a Junior Level Certification or if they should jump straight into something like the CBBH. Short answer: If you struggle with confidence, procrastination, and are new to Penetration Testing (you’ll know what that means for you), go for a Junior Level Certification first. The reasons are explained below.

Expectations

The PJWT will provide you with a fundamental understanding of: Web Application Architecture, Core Principles of Web/APP Security and an idea on how to utilize resources such as OWASP Top 10 to help distinguish differences between vulnerabilities. For example, the differences between XML External Entity (XXE) vs Cross-Site Scripting (XSS). Both inject malicious code and can “potentially” lead to similar vulnerability consequences; such as, chaining attacks to get a shell to exploit an Remote Code Execution (RCE) vulnerability. But their fundamental difference lie in how they interact with the application stack and how they operate on different layers. That is a bit more advanced than what the PJWT will touch on, so don’t over think it. That was just to provide you an example of truly useful resources like the OWASP Top 10 can be. Plus, doesn’t “getting a shell” just sound like some awesome hacker sh**? Yeah, yeah it does.

Back to “what you should expect” from the PJWT. You’ll learn how to map a website for vulnerabilities, and what that looks like. You’ll learn how to use Pen Testing tools such as: NMAP, Burpsuite, Devtools(which, technically is not a pentesting tool), and even simple python scripts. You’ll also learn things about the terminal which will make you feel really cool: curling web requests (GET/POST/DELETE/PUT), enumerating passwords & usernames using FUFF, SQLmap (for automated SQL Injections), Dirbuster — and equally as important — how to navigate the terminal with basic linux commands. But, my favorite part about the entire experience was that you’ll learn how to write a Security Assessment Report. However, I’ll admit the CBBH report was a entirely different animal: you’ll get into CVSS ratings and how to use CWE when looking for specific vulnerabilities & potential chains, which I’d say is what makes one a bit more “real-world” ready than the other.

Getting Started

Now, depending on how new you are to Pen Testing or maybe IT in general, the PPB course will go over a brief review all things that are Basic Information Technology essentials, for example: what an octet is in an IP address, how web application firewalls work (WAF), how the h*ll to properly set up “listening” servers PHP & Netcat — notice my emotional attachment to the last part, yeah — was confused for a long time on how it actually worked. I wanted to know more than the convenient plug&play aspect of it (which you’ll need for the CBBH).

Arguably even more important than all I’ve already mentioned, is that the PBB course will teach you how to set up your Penetration Testing environment. You’ll know how to set up virtual machines — depending on the OS your machine is running on (MacOS or Windows, they go over both). It’ll help you get started on Kali Linux (this is when you’ll really start getting an idea of what’s to come). The rest, is just practice. Meaning the more you spend time on Kali and setting up servers, the easier it will become over time. PRO TIP: Take snapshots as often as you need, especially if you’re one to really customize your Kali environment (terminal wallpapers anyone??).

TCM-Security’s Practical Bug Bounty Course

Requirements

Unlike the CBBH — which requires you to first complete the BBH path before taking the Exam — the Practical Bug Bounty course (PBB) is not required to take the PJWT exam. However, I highly recommend it. Everything you need comes directly from the content in the course, and I mean EVERYTHING. “Duuh” I can hear some of you saying, but too often are exam courses filled with filler content that aren’t necessary for the exam itself. That kind of content should be labeled: “additional resources”. Unfortunately, INE is infamous for that kind of “filler” content today.

Final Thoughts on the PJWT

By now you should have an idea of what to expect, what the requirements are (if any), and if taking the PJWT is worth it for you. If all of the information I just went over sounds familiar to you & you have experience with it already, I’d say go for the CBBH.

But, if most of what I said was unfamiliar and/or you don’t have that much experience with it, I promise getting the PJWT or a similar level certification, will give you the confidence that is necessary for 99% of the aspiring penetration testers out there that are about to take on the beast that is the CBBH.

I’ll also mention — yet again — this is just another example of why having the “right” mentor is crucial for your journey. Ronin recommended that route for me, and I am glad that he did. Because what’s to come will truly test you beyond your limits, especially if you’re as green as I was.

Finishing the CBBH Path in 24 days

Is the title a flex, you bet your rootin tootin socks it is. Am I proud of it, wholeheartedly. Is it recommended? Absolutely not. Did affect my physical & mental health? Yes. Did I do it alone? F**k no!

This quick disclaimer is directed to the 0.5% of you that have lived your entire lives in a “all or nothing” mentality. And, when I say the 0.5% I mean that they truly live life on such a dramatic tilt on the scale, that it can jeopardize their health & personal relationships. They’ve pulled off the impossible before and unfortunately their ego allows them to think they’re some kind of prodigy (and I’m FAR from that — just to be clear).

Furthermore, without getting too personal, my situation was extremely desperate to say the least, and is why I did it in the time frame I did. And, to be transparent, pulling off the impossible— and that’s what this was, especially to someone who didn’t even know how to use NMAP as recent as January 14th of this year — but to pull that off in 24 days, I could not have done without the hacking community: forums.hackthebox.com, Module Write-ups (hence the paying it forward), and of course my direct network.

That said, you should know that this “Job-Role-Path” — to use the academy term for it — is completely Imposter Demon proof. You’ll certainly experience self-doubt, especially early on. However, the further you get into the path, the more you will realize how far you’ve come — and if I may add humbly — that you’ll be learning somethings even some veteran Penetration Testers don’t even see in the field (as I’m told).

So, PLEASE KNOW, it doesn’t matter if you’re looking at the write-ups or asking for nudges from people on a page you’ve been stuck on for 2 days. Don’t make the same mistake I did by letting pride get in the way, and only ask after losing 2 days because you’re stuck on something you shouldn’t be. ASK for help!! And if you need, ask often — but if you do, be sure you understand the the context of the thing you needed help on before moving on.

Why it’s Imposter Demon proof

It’s impossible to get through the BBH path without knowing what you’re doing in some sense or another . . . unless someone simply does the work for you, but that’s not fun and you’re in a world of hurt for the exam and any future endeavors in this field if you do that.

So, my point is, take your time, do NOT rush this. If you don’t have a gun pointed at your head (you’ll know what that looks like for you), and you don’t have a family to provide for or the banks are calling your phone, don’t rush this. Enjoy the process and keep your health & personal relationships healthy.

Note: To my loving wife who sacrificed so much to allow me to study 12 hours a day, thank you and I love you. We’re so close to the finish line. This is the start to the rest of our lives.

CBBH: and how it compares to the PJWT

If I had to compress it into 2 words, other than the obvious (topics were just more advanced), it would be: Chain Attacks. Imagine having to find a vulnerability, okay go on . . . Now imagine using that vulnerability in order to exploit another vulnerability . . . okay and . . with all the filter bypassing you’ll have to do & all the random injections — all of them work together to finally get the “proof-of-concept” you’re looking for, only to then have to manually enumerate the flaw with trial & error.

Let me give you an example, there was a situation where I had to set up a listening server (via 2 different scripts), to “listen” for an injection I was trying to do on an input value (client-side) . . . with the catch being that this was a blind injection, with no indication that the input field is vulnerable in the first place. Meaning, it provided the same error prompt all the other input fields did. Soooooo — I’m getting worked up here, sorry — through tedious trial & error being what you had to go on, you had to bypass the blacklisting filter they had on file extensions ( i.e., uploading a “.svg” file with malicious code ) which then you’d FUZZ the extensions (possibly double extensions, yeah that’s a f**king thing by the way), and maybe even have to FUZZ the MIME types too; ONLY for the data to come back encrypted (okay, that part is not so bad) but after decoding it, you realize that it was “encoded” at least 3 times, so you have to reverse engineer it back to its original state.

I made that sound more confusing than it really is, but for the sake of not giving away too much (hint hint hint) I had to do this for something recently. You’ll learn about this attack from the module linked below, right above the picture of your face right now:

FILE UPLOAD ATTACKS

https://academy.hackthebox.com/module/136/section/1259

Alright, some of you experienced hackers might be laughing at me, but to someone new, and to most that haven’t seen layers of attacks like that before, it’s pretty difficult stuff. This was literally beyond my realm of possibilities while taking the PJWT. So, when I say this is one of many examples that separate HacktheBox from other learning platforms — it provides you with an idea of what you’re getting into if you plan on skipping a Junior level cert — especially if you are new to Penetration Testing. That said, this section is not to scare anyone, but rather to give you a reality check into what it will be like if you “Go For Broke” as the title suggested. Now that you properly hate me and are even more confused than before, let’s talk modules.

The Modules: Do they prepare you enough?

You’ll find a theme in this blog: I thought this Path & Exam were REALLY hard. I still do. In fact, it’s part of the reason I am going to be doing the write-ups. Yes, it’s about giving back, but also, in NO way would I suggest that the content is inside of my memory recall, ready to use at a moments notice. To put it simply, using the Feynman Technique (teach someone something to be sure you truly understand it yourself) — also known as the First Principles Method — I plan to make sure if I had to take the Exam again, I’d pass 10/10 times.

That said, and to answer the sub-header question — yes it is enough. In fact, genuinely necessary even during the Exam. While taking the CBBH exam ( 7days to hack & submit a report ) I found myself practically re-doing most of the modules anyway. PRO TIP: Bookmark the modules that you found most difficult or that seem obvious you’ll need to refer back to.

Also

While mapping the web application, you’ll want to have some kind of methodology in place. Rana Khalil’s course (linked in the additional resource section below) has helped me find mine. She’ll help you get an understanding of what a professional “methodology” workflow looks like — especially when you begin to look for specific vulnerabilities. I said before that the modules from the BBH are all you need to pass the Exam, and though technically true, I’m extremely grateful I did something smart (for once) and took her course. Can’t tell you the difference of comfort you’ll feel when you engage in a “black-box” test and at least have some idea of how to begin. It can be intimidating, especially at this level of exam, to be told: “Hey, hack this, ummm figure it out, there are domains and stuff, and like . . . idk do your best” . . . okay, maybe the instructions weren’t that vague, they’d actually spell out “I don’t know” but you get the picture. And, that’s not a knock on HacktheBox, that is genuinely what a “black-box” test looks like: Here is the environment, here is your scope, don’t go outside of it, and find the vulnerabilities.

Also if you’ve ever tried to FUZZ something with the community version of Burpsuite, you’ll be happy to know that Rana Khalil teaches you how script enumeration attacks in python, and she does it well. I mean, I learned how to do it, so that’s proof enough. 10/10 recommend her content. She doesn’t know I exists so don’t worry this isn’t a plug!!

HacktheBox’s Certified Bug Bounty Hunter

Final Thoughts on the BBH Path & the CBBH Exam

You’ll want to allocate time for these 7 days. If you can take time off from work, do it. Tell your friends that you’ll be going in the shadows and only call the cops on the 8th day for a wellness check. Take each day as seriously as the next. Don’t slack at the start thinking you have time, and don’t let up later if you notice you’re flying through it. The end of the week will creep up as the vulnerabilities get harder. Stick to the modules, take as many screenshots while doing the BBH path as you need (with quick bullet thoughts for memory recall ). I’d also suggest gathering an arsenal of additional references you found helpful while doing the BBH path (i.e. write-ups you found most useful during difficult modules, any video content that helped you, and any notes you took that you’re actually proud of). That last part is more aimed at myself.

I mentioned the modules were all you need to pass the exam, yet I referenced additional resources multiple times. It’s true, it technically is all you need — and truthfully the majority of what you’ll be using during the exam, but having that reference arsenal will help you in moments you least expect it, trust me.

So whether you plan to only use the BBH modules as a reference — having the entire path up in 20 different tabs (unless you use chrome, then RIP) — or you decide to create a cocktail of references you’ve found useful along the way — the most important thing, as cliche as it sounds, is to just believe in yourself. Don’t let the Imposter Demon trick you into thinking using write-ups or additional resources makes you any less than you are. The fact is you completed a Learning Path (Bug Bounty Hunter) that only about 1,300 people in the world have finished. That statistic is a recent fact I’ve learned and I — for one — am proud to say that. And if the statistic is wrong, and the person who told me that just tried to make me feel good, than thank you to them — it worked and turning in the report was about the most proud I’ve ever felt about myself — besides being the best dad in the world that is.

Blog Conclusion

HacktheBox is quickly becoming the Industry Standard. With Certifications like the Certified Bug Bounty Hunter (CBBH), Certified Penetration Tester (CPTS) — which by the way, I’ve heard is harder than the OSCP — and, not to mention their big flex on OffSec. by dropping the Certified Web Exploitation Expert (CWEE) certification, it’s easy to see why so many aspiring penetration testers, are curious about it — why so many veteran professionals think so highly of it & why the current job market are interested in candidates that are HacktheBox certified.

Thank you for putting up with me and reading this far. Come back next week for more chaotic writing, terrible jokes, and finding out the differences on why you should get a mentor you need, and how that differs from the mentor you want. PEACE!