Certified Bug Bounty Hunter (CBBH)
Hey, if you're reading this you're awesome! and i know that in some way you may be prepping for the CBBH, or maybe you already passed the CBBH (congrats π btw) or maybe you have no idea what it is and this is your first time hearing about it, or maybe you've heard about it but you're deciding on whether or not it's worth studying for, either way thank you for reading this review and i hope it helps!
What is Hack The Box?
Hack The Box, is a great cybersecurity up-skilling platform and it's all about:
Learning by Doing:
"Learn box pwn by doing more box pwn" - jakesss
Growing:
It's a life long journey of learning and adapting to new technologies
Competing:
A little friendly competition never hurt anyone
Community:
Helping one another, i love their discord
Gamification:
Making hacking fun
Content:
Top tier learning content
What is the CBBH?
The CBBH is comprised of 5 main domains & 20 modules that cover core web application security assessment and bug bounty hunting concepts.
Pricing
The pricing for a CBBH voucher is great, $210 USD for everyone, this makes it much more accessible to students and people like me(im broke). Plus, that price is for two exam attempts, if you were to fail your first attempt.
and if you are a student, you may be eligible for a HTB academy student discount, so instead of paying $18/month you would only pay $8/month for access up to/including tier 2 modules, not bad at all.
Who is it for?
According to HTB, the target audience for the CBBH is:
Entry level Bug Bounty Hunters
Junior Web Application Penetration Testers
Web Developers
This is true, but i believe that anyone, student or newcomer, who is willing learn the fundamentals of networking and web applications, then dedicate 30 minutes-1 hour a day to completing the pathway and truly understanding the concepts can definitely do it in 3-6 months.
In my case i had alot of free time on my hands, so i dedicated 6-8hrs a day to studying, i started around the beginning of November 2024 and finished the course content towards the end of December 2024.
Why the CBBH?
Continuous Evaluation
Hands-On & Real-World Exam Environment
Outside-The-Box Thinking & Vulnerability Chaining
Commercial-Grade Report Requirement
Seamless Experience Powered By Pwnbox
Other than the points mentioned above, i think the CBBH is a great beginner-intermediate certification and an amazing overall learning experience. I say a learning experience because each and every module will teach you amazing things like File Inclusion Vulnerabilities, Cross Site Scripting, SQL Injections, Command Injections, etc, but then the fun part is putting what you learned to the test in the module's Skill Assessment.
Skill Assessments are a great way to practice what you've learned and it gives you an opportunity to learn how the web application works, play around with different payloads, and how it can be broken. Plus, once you complete the module, you have lifetime access to the module's content and the skill assessments, so if you want to practice a certain topic a bit more, you can just go back to the module's skill assessment and hack away.
Note: Before the CBBH, i really sucked at assessing web applications, (i still suck at web apps), i was lost all the time not knowing where to start, and i really feel like the CBBH will setup any entry level bug bounty hunter or junior web application penetration tester for success by providing a solid methodology to use on real world engagements, not only that, but the CBBH also teaches you how to communicate these findings in a professional manner.
Exam Prep
When it comes to exam prep the most important thing you can do is to have a solid methodology and to stick to the course content. During the exam you may want to go off on a tangent or a rabbit hole, but trust me, go back and refer to your notes or use HTB Academy's search feature.
Personally, i said YOLO and took the exam a few days after completing 100% of the CBBH course. I did read that getting the initial foothold on BountyHunter, Academy, Forge and creating a report for these boxes is a good way to test if you're ready.
But i would definitely say that the modules are all you need to pass the CBBH.
My Exam Experience
Attempt 1
I was soo ready, or i thought i was, but also worried about taking the exam because i didn't do any practice boxes to gauge my preparedness, but YOLO.
Day 0 01/09/25:
- 9:02pm EXAM START
- [0/100] 9:18pm Connecting to VPN and Starting Lab Instance
- LET'S DO THIS!
- [10/100] 11:30pm
Day 1 01/10/25:
- [20/100] 1:42am
- 2:00am SLEEP
- 5:45am Start
- [25/100] 6:50am
- 8:26am SLEEP
- 2:02pm Start
- [35/100] 6:40pm
- 7:00pm BREAK
- 8:30pm Start
- 1:06am SLEEP/LONG BREAK (IM GONNA FAIL!!)
Day 2 01/11/25:
- 9:00pm Start
Day 3 01/12/25:
- 4:02am SLEEP/LONG BREAK(FOUND NOTHING!)
- 7:00pm Start
- 11:17pm SLEEP
Day 4 01/13/25:
- 7:00am-12:00pm Report Writing
- 1:00pm Start
- [50/100] 6:00pm
- 7:00pm BREAK
Day 5 01/14/25:
- 12:00am Start
- 2:30am SLEEP
- 1:00pm Start
- [55/100] 2:00pm
- 2:30pm BREAK
- 6:00pm Start
Day 6 01/15/25
- [70/100] 1:11am (I MIGHT PASS!)
- 1:30am SLEEP
- 9:37am Start
- 6:00pm LONG BREAK (NOPE, GONNA FAIL & SUBMIT REPORT)
Day 7 01/16/25
- 9:02pm EXAM END + SUBMIT REPORT
Unfortunately failed my first attempt by 10pts :( , i submitted my report with the findings i had so far and went back to the drawing board.
Attempt 2
DAY 0 01/24/25
- 12:15pm EXAM START
- [10/100] 12:35pm
- [15/100] 12:54pm
- [20/100] 1:48pm
- [35/100] 1:57pm
- [45/100] 2:10pm
- [60/100] 4:00pm
- 6:15pm BREAK
- 9:15pm Start
- [70/100] 10:56pm
- 11:44pm HOLD UP IM ONTO SOMETHING
- [80/100] 12:27pm PASSING GRADE
- FINISH UP REPORT + SUBMIT
I was able to get 80pts on my second attempt ! I updated my report and submitted.
Tips and Tricks
Methodology
Build a solid methodology! , make it your own, automate it if you want, just leave no stone unturned.
Manual Enum
HTTP Response/Request Headers
Source Code
JS Sc
href links to other directories
Wappalyzer
tech stack
Be a user to the web app, get familiar with its functionality, understand what it's doing on the backend
Capture every single request/response in Burp Suite
Fuzzing
VHost and subdomain Enum with Ffuf
File fuzzing
Param fuzzing
Repeat step 1-2 if applicable
Abuse functionality, test for possible vulnerabilities
Identified an interesting functionality?
What is it doing in the backend?
Visualize the code that is handling this functionality
Nothing worked?
Repeat steps 1-5
Refer to your notes, take a different approach, you may be hyper focused on one thing, but try that other thing you found
The Report
Many have used sysreptor, but i felt like it was too complicated, so instead i opted for MS Word which worked great alongside the template HTB provides.
Tip: Write your report as you go, found something? , write it up in the report, provide remediation etc., and then continue
Tip: Don't be afraid to ask chatgpt for help, ask chagpt "how can i word this better?", "how can i explain this better?", "does this make sense?" etc.
Tip: Take detailed and chronological screenshots, this means not leaving out any steps in identifying/exploiting any vulnerabilities you find.
Tip: Organize your screenshots into folders as you go, this saves a lot of time later when your trying to look for a specific screenshot and they are all begin with "Screenshot_..."
Tip: Begin your report with the most critical vulnerabilities , then high, then medium, then low. IRL companies would want to look at the most critical findings which require more attention.
Misc
Please do not be like me, GET plenty of rest!
Please start your exam in the MORNING, i started at 9:00pm π
Start on a saturday or sunday
Touch grass, take a walk, drink plenty of water (or your favorite energy drink)
Talk to friends and family, go to the gym, go shopping, watch netflix, do something you enjoy
Questions
Do i need the CBBH to start bug bounty?
No, but will it help you be a better cybersecurity professional? yes
Many start with portswigger academy and work their way into bug hunting from there
Will the CBBH help me find bugs on hackerone, bugcrowd, etc?
Maybe, i know a couple of guys who were able to find their first bug after taking the CBBH
Will the CBBH make me a better Web Application Pentester and Bug Bounty Hunter?
Heck yeah!
Is the exam CTFy?
No, the exam didn't have any gotchas, or look for this super secret thing in order to exploit
Do i need external sources/training to prep for the CBBH?
No, the course content is all you need IMO.
But you can supplement with Portswigger academy/labs and the HTB machines mentioned before
Will the CBBH help me find a job?
Maybe, i have seen the CBBH on a few job postings
I do know someone who has received a job offer
How does the CBBH compare to the eWPT, BSCP, OSWA, PWPA, PWPP, OWSE?
I have not taken any of those, so i cant make a valid comparison
But i would say BSCP and OWSE is much more difficult based on what others have said
Next Steps
Love web?
If you love web:
Portswigger labs/ Burp Suite Certified Practicioner (BSCP)
reinforce what you learned on HTB academy
training is free and the exam is $100
does require Burp Suite Pro , but you could get a 1 month free trial
Start bug bounty hunting
hackerone, bugcrowd, vulnerability disclosure programs(vdp)
Hacking Hub
some realistic free hubs that cover different web vulnerabilities
a good way to test your skills
APIsec University
free API security training
HTB CWEE
does require a higher subscription on HTB academy
Want to explore other niches and combine web and network pentesting?
Want a short break from web? (not entirely excluded from web, but a bit more of AD and network pentesting at this point)
HTB CPTS
OSCP
Last updated