bontalor
. . /

cbbh_tips

Introduction

Hi :P
This is my first blog post so I decided to provide some tips for anyone trying to pass the Certified Bug Bounty Hunter (CBBH) exam. This was my first certification so I completed and studied the HackTheBox modules for months until I felt I was finally able to pass the 7-day long exam, and I’m glad I was patient because this exam was fairly difficult for me. It was all worth it in the end though because now I have a shiny PDF that says my name on it.

Strategy

I would recommend completing every module in the CBBH path at least twice because there is some niche information hidden within some that you’ll need to remember. It’s important to go through every page in each module, and if you don’t want to fully memorize every single page on every single module then you should at least remember what each page teaches you so you can go back to the module if you need to. While taking the exam you are allowed to look through every module so being able to navigate them with knowledge of what each page covers is essential to pass the exam within those 7 days.

One extremely helpful strategy that I used while taking the exam is HackTheBox Academy’s search function. On Academy the search bar lists every page in every module so if you remember the name of something or type in some keywords you can probably find what you’re looking for fast.

Thinking outside the box is something you’ll need to be capable of for some of the machines on the exam; the skills assessments at the end of each CBBH module aren’t going to be 1-to-1 with the machines they give you.

The Report

For me, this was the hardest part of the entire exam and I probably spent way too much time working on my report. It might seem daunting at first but you need to document EVERYTHING so it’s mandatory that you take screenshots with comments every step of the way while exploiting the machines. I kept these screenshots in an imgur album and pasted my screenshots with a caption underneath describing what I was doing and how I got there. The report also requires you to identify the CWE for your exploit and generate a CVSS 3.1 score, both of which can be found with simple web searches. Don’t worry too much about the report because as long as you completed enough machines the report doesn’t have to be perfect.

Good Luck

If you have a solid grasp on bug bounty hunting then this exam should be a piece of cake, so make sure to fully prepare yourself before you begin. You do have 2 attempts at the exam but it looks way cooler if you complete it in only 1 so try your best on the first attempt. Don’t stress too much and remember your resources so you don’t feel lost if you come across something new. Good luck!

pce,
bonta