Introduction
I will try to not repeat advice and tips given on previous exam experience articles to keep this post interesting and relevant, which also includes my previous article on CPTS as I would say most tips from that article apply to this one as well.
The Hack the Box CPTS path path shares about 60% of the modules with the Hack the Box CBBH path and since my Silver Annual sub was still active and I always to tackle a purely web penetration testing certification(unlike CPTS which covers general penetration testing), I decided to complete the remainder of the modules and take a shot at the CBBH certification. Coming fresh from the exam, I am happy to share I have managed to score 9/10 flags on my first attempt in four out of seven days(including report writing), working about 8 hours a day. As exam grading can take up to 20 business days, I have decided to write a quick article to share my experience with the exam in the meantime, some tips and machines I liked as preparation. I will be updating the article later once the grading process is complete.
Update: Today, 27/05, I have received confirmation from the HTB team that my report matches the commercial standard and I have successfully passed the certification!
Experience
The exam environment has been unlike any simulated environment I have seen so far. The applications were realistic and built for actual users, not with the sole intent of being “hackable”. Finding the exploitation steps required deep understanding of the modules taught in the path and how skills and techniques taught in one module can be helpful for another module, a fact also mentioned several times by the module authors themselves throughout the path. I would say overall the exam is very challenging, but fair as the path does cover everything needed to pass the exam which tests the candidate on all the modules taught.
The environment was also very stable as it was able to sustain enumeration from multiple tools, while manual user interaction with the applications was still intact. The stress level was also lower for me when compared to CPTS, since CPTS covers general penetration testing requiring mindset shifting from web penetration testing to privilege escalation to active directory penetration testing and so on. Depending on the individual, these transitions can add to the overall exam stress load, CBBH being web only to the end and less linear.
For me this was the best training and exam for black box web penetration testing, I would recommend it to anyone wanting to increase their skills in this area, with some modules even touching a little on whitebox analysis.
Tips
My first tip #1 is doing the Documentation & Reporting module in addition to the other modules(not part of the CBBH path). The Bug Bounty Hunting Process that is part of the path does cover how to write findings properly, but it’s very brief, lacking the depth of the former module. This combined with HTB’s high standards for report writing can make this portion of the exam really challenging without going through the Documentation and Reporting module as well. As per the SysReptor Template , the report also requires an Executive Summary, which is also not covered by the Bug Bounty Hunting Process module, but is very well covered by the Documentation & Reporting module.
My second tip #2 is to install SysReptor, download the CBBH template and examine it prior to starting the exam in order to plan a report writing strategy. It’s likely not a good idea figuring out how to write a good report during the exam itself or to only start working on the report after completing the practical portion. The strategy does not have to be complex, mine is pretty simple:
- At the beginning of the engagement fill in the sections:
- Meta
- Executive Summary > Scope
- During engagement fill in the sections:
- Findings. I personally would write here every time a Finding is discovered, but this is personal preference, you can instead do 2-3 findings at a time if they are part of a bigger chain for example.
- Appendix > Flags Discovered every time a flag is discovered.
- At the end of the engagement:
- Executive Summary > Assessment Overview and Recommendations.
- Tidying up the report: grammar correction, proof reading, styling etc. The idea to formulate a report writing strategy and this strategy itself was inspired from this very good article by Bruno Moura on CPTS report writing, which I highly recommend reading as well as it goes in way more depth.
My next tip #3 is to not spend too long on a target when stuck. For me it was not uncommon switching to a different target and during testing said target coming with a fresh idea for the previous one which allowed me to progress further.
My last and final tip #4 is doing only the External Testing section of Attacking Enterprise Networks module and some boot2root machines as prep before the exam. I touched upon this a bit in my CPTS Review , but the essence is that in my opinion the skill assessments at the end of each module are not black box pentesting. Black box testing implies no prior knowledge of what vulnerabilities might be present on a target, which is in stark contrast to the skill assessments. To illustrate the point with an example, at the end of the “Command Injection” module, the student is presented with a web application to test their understanding of the concepts taught. The student knows that the challenge will involve finding a command injection vulnerability. In real life or in the exam, when you are presented with a web application, you come in with no knowledge of what vulnerabilities the application might suffer from. The process involves testing each parameter and application functionality meticulously for multiple vulnerability classes, not just command injection. And sadly there is no module in the CBBH path which covers this aspect, whereas CPTS’s final module does cover this, presenting the student with multiple web applications with no knowledge of what vulnerabilities might be present. I really hope this is something that HTB will work on in the future(a capstone of sorts).
This is also a good time to write a practice report on the External Section of AEN, which would include a finding section for each vulnerability found and the executive summary.
As it is at the moment there is a CBBH CTF Challenge Pack offered by the HTB’s CTF platform. “The Bug Bounty Hunting Enhanced Pack also serves as a critical stepping stone for participants preparing for certifications like the CBBH and advancing toward the CWEE certification.” However, it’s only available as a purchase for an organization/enterprise, not for individuals, which is a very tough decision for students that are not part of a company willing to pay for it, as there is no other way to get access to these challenges, which would have been great practice for the CBBH exam, especially when there is no capstone for CBBH such as AEN is for CPTS. For now, I will be leaving below my favorite machines I used during the prep.
Machine List
Feel free to skip the Local Privilege Escalation portion if you are only interested in preparing for the exam. THM machines are a pretty gentle introduction to boot2root machines for people that haver never done any, but if you already have experience in this area or they seem too easy feel free to skip them.The lists are easy to copy paste and import into your favorite markdown readers for easy progress tracking. In addition to the below I also recommend the machines in ippsec’s CPTS list as most of them include some kind of web foothold. Do not feel compelled to complete all the machines in the list, just until getting enough confidence with black box web penetration testing to sit the exam.
As you go through machines, try to refine your black box methodology for web apps(or build one if it does not exist).
TryHackMe
| Index | Machine | OS | Completed? |
| :---: | :-------------------: | :-----: | :--------: |
| 1 | Chill Hack | Linux | |
| 2 | Cyborg | Linux | |
| 3 | Game Zone | Linux | |
| 4 | GamingServer | Linux | |
| 5 | Skynet | Linux | |
| 6 | Steel Mountain | Windows | |
| 7 | Tomghost | Linux | |
| 8 | Overpass3 | Linux | |
| 9 | Intranet | Linux | |
| 10 | Dogcat | Linux | |
| 11 | Hack Smarter Security | Windows | |
| 12 | AllSignsPoint2Pwnage | Windows | |
| 13 | Relevant | Linux | |
| 14 | Year of the Fox | Linux | |
| 15 | Year of the Pig | Linux | |
| 16 | For Business Reasons | Linux | |
| 17 | Daily Bugle | Linux | |
| 18 | Internal | Linux | |
HackTheBox
| Index | Machine | OS | Completed? |
| :---: | :----------: | :-----: | :--------: |
| 1 | Bashed | Linux | |
| 2 | BountyHunter | Linux | |
| 3 | Friendzone | Linux | |
| 4 | Bastion | Windows | |
| 5 | Return | Windows | |
| 6 | Heist | Windows | |
| 10 | Cronos | Linux | |
| 11 | Shibboleth | Linux | |
| 12 | Bastard | Windows | |
| 13 | Sniper | Windows | |
| 14 | Alert | Linux | |
| 15 | Cap | Linux | |
| 16 | GoodGames | Linux | |
| 17 | TwoMillion | Linux | |
| 18 | Headless | Linux | |
| 19 | Usage | Linux | |
| 20 | OpenSource | Linux | |
| 21 | Editorial | Linux | |
| 22 | Nineveh | Linux | |
| 23 | Enterprise | Linux | |
| 24 | Forge | Linux | |
| 25 | RedCross | Linux | |
| 26 | Timing | Linux | |
| 27 | Node | Linux | |