My journey to become “Certified Bug Bounty Hunter” by Hack The Box
Hi there! I’m Josue. Here is a little bit about my background in this field:
I started in the world of cybersecurity in January 2020, I took a course related to ethical hacking in general, however, it was pretty basic and the material was 95% theory-only. So, I took around the following 7–8 months to learn more about this field. I dedicated some time to basic web attacks, exploiting Linux and Windows systems, and the typical training based on trying to solve Hack The Box and TryHackMe boxes. Then, I stopped studying, and once in a while, I watched videos related to the solution of some boxes or maybe some attacks that just showed up while browsing my YouTube account.
In February 2022 I decided to get back to the ethical hacking field, and then I started my path in the Hack The Box Academy. By that time, I guess there was just the “Bug Bounty Hunter” job role path, as a result, I decided it to go for this one. Nevertheless, since 2020 I struggled to try to get RCE to have a shell in the system, then I also thought that learning more about web attacks would be better as a first step, then maybe learning about non-web attacks to Linux and Windows systems would be better, cause I would be able to get a foothold on a box by my own.
Finally, since June 2022, I have been working as a Junior Web Pentester (if you want to know how I did it without any certification, let me know in the comments). That’s my background, now let’s jump into my training.
My Training
Let’s get started with my training process. In 2020 I was pretty much a script kiddie that did not know why attacks worked. I was just copying and pasting payload, learning commands, and procedures, and attacking wishing that I could exploit something. I kind of understood how to exploit things, but my basic knowledge was really poor. So, in February 2022 I decided to do things properly, so I started the CBBH path going little by little, with no pressure, just trying to fully get the most out of the content.
In the beginning, I thought about completing one module per week, in that way I should finish the path in just five months. It looked like a really good idea for an almost complete beginner. Well, it edifferentlyrent way, at the end I finish the whole path on August 17, 2022. So, it took me a month and a half more, as you may know, sometimes we procrastinate, and we also need time to rest and also to properly learn the different concepts.
While I was completing the modules in the path. Let’s say I’ve just finished the module about XXE, then I decided to go to PortSwigger Academy and solve the labs related to the topic I just learned in HTB Academy. I truly believe this helped me a lot to really understand how to exploit the different vulnerabilities, and it also helped to review the content I’d just learned.
The first word of advice: once you learned a new attack in HTB Academy, then, go and practice this attack on PortSwigger Academy.
Secondly, I was blessed to be working as a web pentester, it gave me the chance to learn how to explore and how to have a methodology to approach auditing a web application from a black box perspective. Additionally, my job makes me try to exploit things manually, that’s something you must try to be good at, in the exam, not every vulnerability will be automatically exploitaible.
The second word of advice: if you have real-world experience as a pentester, then, this is a plus. If you don’t, try to practice with the recommended HTB boxes to see how good you became at finding vulnerabilities manually and also with automated tools; this should be a most if you don’t have real-world experience and had no too much experience like me before getting the job and starting the path.
Nexy, I decided that I needed to learn about some real-world bug bounty exploits. So I got a subscription to BBRE, Greg is such an amazing guy, and they have a good community in Discord. I learned some advanced techniques from there. In case you cannot pay the subscription, you shouldlooke a look at his YouTube channel.
Then, I thought I also wanted to look for a wider range of vulnerabilities, so I realized a couple of months ago, that Medium has a lot of amazing write-ups related to different topics, vulnerabilities, attacks, etc. So, I got a subscription and started looking for real bug bounty stories; needless to say, there are tons of techniques you can learn for each topic in the academy, and you will be able to see how people found them in the wild.
The third word of advice: try to get a subscription to BBRE or Medium, it will definitely boost your way of thinking outside the box. Besides, you’ll learn some new cool stuff.
Lastly, I reviewed all the topics that were tough for me when learning them in the academy. I try to solve them again, and also I try to review the notes and payloads I had taken along the course. You should take notes at least for the solutions you’re doing, and as an extra step, if you don’t have real-world experience, try to practice classifying the vulnerabilities of each skill assessment based on the module of Bug Bounty Hunting Process. You’ll have to do that in the exam, so you should better be prepared for reporting vulnerabilities in a good way.
In addition to that, review the name of each section of each module one by one to see if there is any technique left behind that you forgot about it. In this way, you can make sure you really mastered everything you need for the exam.
The fourth word of advice: review every section of each module and every skill assessment to test how much you have mastered all the content for the CBBH path.
The Exam
The exam lasts 7 days, and I’ve read it was common to fail the first attempt, sometimes due to lack of time, lack of knowledge on manual exploitation or not taking some extra preparation once finishing the path. Whatever the reason was, it can happen to anyone, for example, John Hammond failed the CPTS (the other certification of HTB Academy), and that’s fine, we need to learn from other people so that we can try to improve, that’s what reviews are for, for helping other people avoiding our mistakes. Without other people’s reviews, I would probably have failed my first attempt.
So, another extra step I took, and I know this could not be possible for everybody is I asked for a week of vacation from my work. Thank God HR in my company said yes to it, so I had a whole week free to dedicate to the exam. Without this help, I’m not sure if I’d passed on the first attempt.
Well, I dedicated 10–12 hours the first three days (the rest of the time was for personal care time), the fourth day, maybe 5 hours until I could get a passing score of 85. So it took me around 35 - 40 hours to get a passing score. Maybe, I could’ve taken less time to pass it, but here I have and advice for you:
The fifth word of advice: keep it simple, obviously is not an easy cert, but try not to attack as an automated tool would do. Think carefully about all the techniques you learned in the path, make a list, and try to see which techniques you already used, some techniques may be useful again, or maybe not, maybe you need to look for a technique you haven’t used, anyway it can help you to keep track of the specific attack vectors you have. You can additionally add the common ways to find each of the the vulnerabilities learned in the course, so you can carefully determine whether a technique could be useful or not.
If I had kept it simple, maybe I would’ve saved some hours, or maybe not, who knows. The truth is that I felt like at some points I was so stuck that when I went to the basics, I could clear my mind and find a way to exploit something.
Regarding the result, it takes at most 20 business days to receive your result and feedback. It took 12 days for me to get my certificate and Credly badge:
Besides, I know it’s quite obvious but the more experience you have the better, by instance bmdyy broke the exam really fast since he has a huge experience in this field. This is why I introduced my experience at the beginning so that you can have an idea of how prepared I was. It depends on every person, I’m a bit disciplined, and I wish I were more to take advantage of the time I had to get prepared, yet that part is up to you.
The last words I can say, you’ll have to think outside the box and probably learn ways of exploiting vulnerabilities you never thought were possible to do in that way. The satisfaction of passing this exam is incredible, I hope you’ll enjoy your exam as much as I did. If there is any question or feedback, please leave a comment.
Happy hacking!
