An exam you gonna love: HTB CBBH
In this write-up, we will focus on:
1. What is HTB CBBH?
2. The course
3. Tips before taking the exam
4. The exam
5. Price
What is HTB CBBH?
Last year Hack The Box announced their first certification:
This exam is ideal for individuals who are interested in web application penetration testing and have little or intermediate experience. Also, I would like to mention here, that Hack The Box recently released another exam, the Certified Penetration Testing Specialist. In my opinion, it is a good approach to take the CBBH exam first, to get some experience, and then go for the CPTS exam. There is some overlap between the courses, so if you go for the CBBH first, 30% of the CPTS course will already be completed.
The course
In order to start the examination process you need to complete the related Bug Bounty Hunter job-role path on HTB Academy. This course contains 20 modules, with each module consisting of multiple sections. At the end of each section, students are typically presented with practice labs or questions relevant to the topic. Furthermore, at the end of the module, there are larger Skills Assessment labs.
The course content is written. I myself liked this a lot because you can progress at your own pace, and it is easier to go back and search for information compared to videos. Also, it is easier to take notes since you can copy-paste a lot of stuff you find interesting.
Hack The Box estimates the time needed to complete the path as 18 days. On HTB 1 day = an 8-hour work day, which means, that completing the course takes around 144 hours. Of course, it will take less time if you are experienced, or maybe more if you need a bit more practice and reading. But time doesn’t really matter, the most important thing is to learn, and enjoy the process.
To get the most out of the course you need to take good notes. There are lot of note taking applications, I used OneNote. I think what is definitely worth noting down are the commands and the most important parameters, maybe some examples to copy-paste. Also, it can be useful, if you have a page where all the attacks are listed, with their possible impact, so when you feel stuck during the exam, you can go through this page and use it as a checklist.
If you need help with the labs or have questions about a topic you can go to the HTB forum or you can join the official discord server and ask for help there.
You can get more information about the topics covered in the course here.
Tips before taking the exam
Before jumping right into the exam environment, there are some things we can do to make sure that everything will go flawlessly.
Read through again briefly what was covered in the course, and extend your notes if needed. I spent about 2 hours with this the night before the exam, and I think it really helps putting you in the right mindset. This way you will be more efficient chaining multiple attacks together, which will be required to pass this exam.
As part of the exam, you are required to write a comprehensive report. For this, I recommend taking the DOCUMENTATION & REPORTING module as an additional resource. The report in this module is very similar to the one in the exam. It also covers some note taking tips & tricks which might come useful.
If you don’t feel confident enough, you can also practice on Hack The Box, there are a lot of challenges, including web applications.
The Exam
In order to pass the exam you have to get at least 80 points from the possible 100. You can get these points by submitting flags you encounter during your pentest. Don’t worry, it will be clear where to look for them, and it’s obvious when you find one. You will also need to submit a report containing all the different vulnerabilities you found in the target systems.
Remember to take good notes during the engagement, write down everything you tried, this way it is easier to spot if something is left out, and you will not have to do anything twice. Having a good note will also speed up the reporting process, so take screenshots if you find something interesting.
There are multiple websites you can hack, and they are interrelated. So, if you feel stuck on one of them don’t be afraid to move on and try another one. Also, try to visualize the problem you are facing. I myself like using the good old pen and paper if I can’t find the solution for something. Apart from that, I highly recommend using the search feature in the Academy.
One thing you shouldn’t do is stress about time because the exam lasts for 7 days. The start may be slower, but things will come together eventually. If you are tired it’s okay to take a break, the best ideas may come during a shower or a walk. About the time mrb3n wrote this on discord:
After submitting your report it will take up to 20 business days to get feedback, although it is usually faster. I received feedback after 11 business days, and it contained good news.🥳
Also, if you fail you will have a free retake, but you need to start it within 14 days of receiving the feedback on the first exam. Note, that to qualify for a retake you must submit a report. To my best knowledge, the exam environment stays the same in this case.
The Price
The total price consists of 2 parts, the course, and the exam. It is not possible to take just the exam, having the course 100% done is a prerequisite.
The exam itself costs 180 Euros or 210 Dollars depending on the currency. (VAT not included).
For the course, there are multiple options. If you are a student you should probably go with the Student Subscription for a monthly 7€/8$+VAT. I think this is a great deal, and also every module you complete stays unlocked even if your subscription expires. If you are not a student you have other options. You can choose either a monthly subscription or you can purchase “cubes” (HTB Academy currency) directly. The path itself costs 1410 cubes. You can find out more about the different subscription models here.
Summary
All in all, I think CBBH is a great exam, and if you have some time you should definitely give it try. Some key takeaways from this write-up:
- Always take good notes📓
- Don’t stress too much about time⏰
- Use the Search feature on HTB Academy during the exam 🔍
- Have fun learning and get certified😉
