HTB CBBH – Course and Exam Review

After passing the eWPT, I was looking for another web application certification that might help to elevate my skills and help me to review web application penetration testing exploits and methodologies. I stumbled upon Hack the Box (HTB) Academy, which offered a Certified Bug Bounty Hunting (CBBH) course and exam. I looked over a couple reviews and decided that I wanted to give it a try.


The pricing for HTB Academy varies because they have a platform currency called Cubes that can be used to unlock modules for training. I would not recommend buying any cubes, but rather I would recommend going with a yearly subscription. At the time of writing this, the yearly subscription costs $490 for access to all Tier II and below modules, which is exactly what is needed for the CBBH course. Also, the yearly subscription comes with one exam attempt. If you are a student, they do offer a monthly student subscription that costs $8 a month and gives the same access as the yearly subscription; however, it does not come with an exam attempt.

CBBH Course

The course is laid out into 20 modules. Each module consists of multiple sections with hands on labs and a skill assessment at the end of the module to put everything together. All 20 modules are listed below. I believe HTB does a good job of laying the modules out in a logical order; however, you can complete the modules in any order you want.

  1. Web Requests
  2. Introduction to Web Applications
  3. Using Web Proxies
  4. Information Gathering
  5. Attacking Web Apps with Ffuf
  6. JavaScript Deobfuscation
  7. Cross-Site Scripting (XSS)
  8. SQL Injection Fundamentals
  9. SQLMap
  10. Command Injections
  11. File Upload Attacks
  12. Server-Side Attacks
  13. Login Brute Forcing
  14. Broken Authentication
  15. Web Attacks
  16. File Inclusion
  17. Session Security
  18. Web Service & API Attacks
  19. Hacking WordPress
  20. Bug Bounty Hunting Process

The course seems to focus mostly on how to discover vulnerabilities and exploit them and does not have a huge emphasis on bug bounty hunting itself. For each vulnerability that is covered, there is a section that goes through remediation with specific examples overviewing vulnerable code and showing the remediated code, which I found to be helpful while going through the material.


You must complete all of the modules before you can start the exam. Some people I talked with did not like this specific restriction; however, I can understand why HTB made this requirement. I believe this is required because they have different subscriptions, and they want to ensure you have unlocked and completed all the modules that pertain to the specific exam because all the material needed to pass the exam is covered in the modules for the class.

Upon starting the exam, you are given 7 days to complete the requirements for the exam and write the report. The exam environment is accessible via a VPN connection, or you can use the browser-based HTB Virtual Machine (VM). Also, HTB will provide you with a report template that lays out exactly what is expected within the report. I found the exam to be both rewarding and challenging. I believe HTB did a good job of including most things from the modules on the exam. It requires you to think outside the box in some places. Also, the exam will force you to chain exploits together and requires a great deal of enumeration.

I did pass the exam on my first attempt; however, it did take me almost the entire time to achieve a passing score. Also, I learned some things while taking the exam that I would not have learned from just the modules alone. Unfortunately, I can’t go into specifics because that would give away some exam information.


I would recommend this course to anyone, but I will say that if you don’t have a solid base in web programming, the course will be challenging and will most likely require some additional learning outside of HTB Academy. I found the modules to be a mix of review and new techniques; however, towards the end of the course I was ready to be done with the modules and move on to the exam. I did see multiple people mention doing additional review for the exam outside of HTB Academy to include things like the PortSwigger labs. I did not do any additional review outside of the modules; however, there were times in the exam when I wished I had. Overall, HTB has put together a solid course and an even better exam that will thoroughly test the participants’ ability to find, exploit, and document vulnerabilities across multiple web applications.