HTB CBBH Experience Sharing

HTB CBBH Experience Sharing

Finally, I’ve got my CBBH certification from HackTheBox on last friday! This certification is totally underrated! It’s content is well-organized & comprehensive. I would say that this is really a good start if you’re interested in offensive web security. It’s a unforgettable experience, and here are some tips for those who also want to join the CBBH gang!

📚 Go through the content twice

There’s really A LOT in the whole CBBH content, from different attack approaches and bypass methods to the ways to prevent the vulnerabilities. Those things are really important and detailed, so try to read those long words in the content and make sure you understand every mechanisms of the attacks under the hood. As for me, I went through the content first, and before taking the exam, I quickly review it again.

💻 Practice those machines in the content

There’re about 5~10 machines (or even more) for each module in the path. Those practice are super great for the exam. Try to do the machines on your own without searching for writeups, so that you can seen it as a test for every module. But if you’re using writeups, it’s totally Okay! The most important thing is to make sure you understand the solution instead of just copying and pasting the commands onto your terminal.

💡 Small tips

  1. Make sure you can quickly identify a vulnerability from an app. For example, when you got a login panel, what vulnerabilities should you test?
  2. All the contents in the exam are included in the CBHH path. So don’t be worried, always try harder when you’re stucked.
  3. You can do some machines on HTB or practice some labs on Port Swigger Academy, both are excellent way to practice and harden your web exploiting skills.
  4. Make good use on the HTB searching feature. On the HTB Academy website, you can see a search bar on the top navbar. You could use it as an cheatsheet searching tool! For example, if you want to search some SSTI payloads, just type “SSTI” or something like “49” on it then you’ll find something you might missed in the CBBH path.
  5. In the exam, you should regard all the challenges as a big challenge. Since it simulate 5 websites from a company, so there will be some connections between those challenges. Try to seen it as a real-world bug bounty/penetration test, instead of an exam, that will help.
  6. Using summer/winter vacation to take the exam will gives you more time to prepare and take the exam. If you aren’t a student now, try to take 1~2 days off from work and start the exam on weekends so that you have enough time to do those machines and write the report.
  7. Use Sysreptor to build a well-organized report. Trust me, it can save you a lot of time (comparing to using Microsoft Word to write the report)!
  8. Don’t give up! Just try harder!

🚩 My personal experience

I took about 3~4 weeks to went through the content in details and I got my certification on the second approach. HTB gives you 2 approach per voucher, so it’s fine if you didn’t make it on the first time. I got 7 flags on my first approach, which is not enough to pass the exam, but I still submit my report and my findings, HTB will give you some useful response! And I got 2 more flags on my second approach. I would suggest you arrange your time correctly. For me, I spent 5 days for 5 machines, and use 2 days to write the report. Also taking notes and screenshots when doing the machines, this helps you to write a better report! By the end, I got 9/10 flags in total and make a report about 52 pages.

Go checkout the CBBH if you want to learn hacking and web exploitation. GLHF!