Post

Passing the CBBH

Posted
Preview Image
By unknownrider 4 min read

Preparing for the Certified Bug Bounty Hunter aka the CBBH from HacktheBox? Here’s my review along with some tips and tricks. As of 1 July 2024, there are roughly 530 qualified individuals.

Ps. I passed!

The Exam

  • Fully hands-on, zero multiple choice questions
  • Requires 100% completion of the HTB academy bug bounty hunter job role path.
  • Black box environment
  • Zero limitations on tools.
  • 7 days total to complete all exam requirements. Including:
    • A professional report.
    • A minimum number of flags (or a score of 80/100).
  • You receive 2 exam attempts per voucher.
  • You can reference the academy modules at anytime during the exam.
  • The exam is aimed at beginners with little or no prior experience. If you’ve never done a hands-on ‘hacking’ exam, I’d highly recommend this be your first. Honestly I wish I did it BEFORE I did the CPTS, but oh well. I’ll explain more on this later.

Preparing

Completing the bug bounty path is a prerequisite for the exam. Some may finish in 4-6 weeks, others may take a few months. It just depends on how much free time you have, so don’t worry about how long it takes you. Instead, focus on having a solid understanding of the course material. I previously completed the CPTS exam (see that review here) so I completed the remaining ~50% of the modules in a few weeks. Here are all 20 modules you need to complete.

cbbh_modules

For those looking to do extra practice or don’t feel quite ready to sit for the exam, I’d say go through the course material again. The exam is pretty realistic and everything is directly from the course modules. Going outside the course is a very slippery slope. Because of that, I’m not going to recommend any ‘outside’ boxes.

If you REALLY feel you need more practice, redo parts of the course and improve your notes.

AND if you reaaally want some additional resources, read the above tip again, seriously, you don’t need outside coursework. I’m not going to link anything because I’d like to emphasize that you should be sticking very close to the bug bounty path material, the other stuff isn’t necessary. The course material is very good, and it’s all you need to pass the exam.

My Tips on passing the exam

  1. This is not a pentest exam.
    • You don’t need to go rooting boxes and lateraling networks. You just need to find the ‘cracks’ in the armor.
  2. Enumerate. Enumerate. Enumerate.
    • If it feels like your missing something… enumerate more.
  3. Everything is in the course work.
    • Ease off the GoogleFu… Reference your course material.
  4. Utilize your cheatsheets and notes from Academy. Having commands ready to copy/paste will save you a ton of time.
  5. Don’t overthink it… KISS.

My thoughts

The bug bounty path ties in nicely with the Certified Penetration Testing Specialist (CPTS) exam by HackTheBox since completing the bug bounty path also completes ~50% of the pentest path. I think those looking to progress to the significantly harder CPTS will enjoy the web focused CBBH to get a feel for how how they perform on a 7 day exam, and how Hack The Box styles their exams. While the CPTS material is much different, beginners will benefit from learning the basics of web hacking. Web hacking is also a great place to start for those who don’t have a specific niche they want to work in.
Also… the exam is pretty fun.

The exam is a great first step for beginners since it is not as ‘time intensive’ as many other exams (like CPTS). For CPTS I actually reccomend taking as many days off as possible. In fact mrb3n from HackTheBox says the bug bounty exam is doable in a few hours a day. Granted you have firm grasp of the modules, I would agree with this. I managed to get most of the flags in a weekend, and because of this, I was able to relax and only work a few hours a day during the week (while still working full time).

discord1
discord2

Will this help me with actual bug bounty?

Yes, also no.
You can’t build a rocket on a bamboo pad.
The exam and academy content provide solid foundational web knowledge. However, most websites with established bug bounty programs will be very robust, and this exam only covers the tip of the iceberg. But everyone has to start somewhere, and this is a great place to start.

I think 21y4d and mrb3n from HackTheBox summarize things well here.

Discord3

Resources

For those interested in other offensive cybersecurity certs, you may be interested in my in-depth CPTS review.

The HackTheBox Discord is a helpful place to be if your thinking about taking an exam.
https://discord.com/invite/hackthebox

tech, Hackthebox
tech
This post is licensed under CC BY 4.0 by the author.

Trending Tags

tech mindset