.png)
7 months ago
68 BOOK THIS SPACE FOR AD
ARTICLE AD
This blog is mainly for those just starting out and curious if jumping straight into HackTheBox certifications is the right for you. For those who want to jump straight to into the title content, I don’t blame you: {https://arc.net/l/quote/jdnsbmxw}
New to blogging and new to Hacking, my imposter syndrome ( or what I call Imposter Demon) threatened the probability of this blog ever seeing the light of day. But, starting my first blog in this way, puts the demon not in my rear-view but directly in the chair next to me, forcing it to watch as I break it’s chains we all experience in our respective domains. Hi, my name is Amar Redzepagic, and the past 4 months have been the most insightful, difficult, and even affected my relationship with my family & friends.(more on this later). In this blog I’ll write about my experiences with both the PJWT & CBBH, whether or not you should take one before the other, and how they compare in terms of difficulty, requirement, and worth.
While figuring how to write this blog, I didn’t think to touch about my personal journey at all. My ego is secretly big — as I think all of ours’ are — but not that big. “No one is going to care, just write the review and publish it”, I thought to myself; and, that could very well be the case. But regardless of the outcome here, if this helps even one person looking for a little bit more insight other than just the Technical (which we go into below), it will have been well worth it. And, this wouldn’t be an authentic blog if I didn’t admit the selfish part: that I needed to prove to myself I wasn’t full of sh*t — and that I really have found what I want to do for the rest of my life.
Shameless Plug:
Publishing this, is just part of the beginning as I plan to do write ups on the CBBH Path Modules to help those struggling or stuck on the course. Also, I plan to drop a blog, related to hacking in one way or another, weekly. So, comeback next week for more on why I think finding a Mentor is almost mandatory.
I told you I had an ego, but in fact, it has nothing to do with confidence. I mentioned in the intro that I recently submitted my report, which means that I am currently awaiting the report portion of the results. However, I think of this blog more a big middle-finger to the Imposter Demon and a small thank you to the hacking community in general. I’ve learned that a Hacker is only as good as their community & network. So, I feel that now it’s my turn to start paying it forward.
Now to provide some Proof-of-Concept against any potential fluff, I might have unintentionally given off, I’ll humbly admit that my input may be of use to someone looking for some insight. Simply from that fact that during the CBBH exam, you’ll know if you’ve passed the “Technical” portion or not off the bat. I’m not sure the boundaries here so I’ll keep it pretty vague, but I’ll hint that it’s pretty similar to the academy modules and how you progress through them. That said, I’m happy say that I got enough points to pass the Technical portion of the exam. However, that’s where I’ll stop because that’s only half the work, the report is arguably just as difficult and important. It’s the part that validates whether or not you’re real-world ready.
Before we begin, I’d like to say that many people have helped me along the way, whether through words of encouragement or just virtual study buddies. I’m afraid it isn’t possible to list all of you, however you know who you are, and thank you. That said, allow me to address 3 specific individuals who are directly — or indirectly — responsible for me finding my authentic love for Hacking and why I can call myself a Hacker today. Out of respect for their privacy I won’t be using their real names, but referring to them by their Hacker names instead.
November 31st, 2023, I met my Mentor & who has now become my dear friend, Ronin. I wouldn’t be writing this blog today, if not for him. He helped me realize I wasn’t being authentic about my approach and I was not “acting like I belong”. This man, what he has done for me & potentially my family, cannot be stated in one paragraph. His influence on me and the impact that it has made on my life deserves a separate blog entirely, which I’ll publish sometime next week: “The Mentor You Need vs The Mentor You Want”. There, I will go further into depth on how important it is to find the “Right” mentor for you. Oh, and by the way, Ronin is a really bad A$$ hacker, which makes talking about him feel like a flex on my part!
Next up, SecretAsianMan. Oh, how I love to hate this guy. He’s one of those people that make hard things look easy. He’s also Chargers Fan ( yuck ), but I genuinely admire him, not just as a Hacker but as one of the most kind hearted, genuine people, I’ve ever met in my life. He’s directly responsible for me starting out in the first place, and also indirectly responsible for me crossing paths with my Mentor and the 3rd individual below. One story I always bring up when I talk about him (if he’s reading this, he knows what I am about to say ) is how he came to my house with a Windows XP in 2020, and if my memory recalls correctly, he didn’t even know how to open Windows Task Manger via keyboard shortcuts. I knew his intellect was way about average, but at that time he had very little technical experience. Despite all that, he looked at me and said “Yeah, I think I’m going to be a hacker”. Okay, pal whatever you say . . . Sure enough, less than a year, not only did he pass the eWPTv1 ( when it had the report ) but began doing professional contracting Penetration Tests. So, you’re correct to think that by now he’d make Senior Penetration Tester (under 5 years might I add) at the company he is currently working for now. He’s an example of someone that excels in anything they do, which p*sses me off, and also — I couldn’t be more proud of him; even more than that, to call him one of my best friends.
Finally, we’ve reached the third shoutout, Garr. Which, I don’t have the pleasure of knowing him as intimately as the 2 above mentioned, however, to say that he has been an inspiration in my journey would be an understatement. My Mentor(Ronin) once showed me a documentary about a hacker named Kingpin. I’m sure some of you have heard of the name before. Well, while watching this documentary about Kingpin hacking a bitcoin locker, I felt an unsettling “awe” sensation that I only experienced twice since my journey. Once during the Kingpin documentary, the other was when I first watched Garr hack & educate his community on stream. Let me be clear, It wasn’t a negative feeling whatsoever, but more of a signal that there was something I needed to address internally within myself. Both Garr & Kingpin radiate this internal peace that made me uncomfortable at the time. Watching them also somehow provided me a reassuring warmth about the future. It was while re-watching the documentary — only days before taking the PJWT — and with the assistance of my Mentor through our daily discussions, that I was able to articulate what that unsettling feeling was. Garr & Kingpin are examples of what it looks like to be 100% authentic with yourself, and what it looks like to have a sense of genuine fulfillment in what you do. To elaborate, there are those who hack because it pays the bills, than there are those who want to become hackers for the respective income it presents; And than, there are the 2% which become hackers because it is what they were meant to do. Their passion & love for what they do reminds me of what childhood felt like. So with that said, watching Kingpin & Garr hack, and through personal disintegration with my mentor — and may I add, by interacting with the hacking community, I realized I was going about this the wrong way, and it was only then did something click in me. I realized, I had it too, and was too simply afraid to allow myself to be become unconditionally passionate about hacking from the start. Don’t get me wrong, I am not comparing myself to them whatsoever. Its quite possible that I will never become the hackers they are, nor am I naive enough to think it is even a “sure” possibility. But I can say thanks to the my mentor, close friend SecretAsianMan, and watching Garr do what he does — I have become 100% authentic with hacking & myself again. I can confidentially say, without a shred of doubt, that — yeah — I am a Hacker. God that feels great.
Are we there yet?
Yes — yes we are. The above was mandatory, and still isn’t enough to describe my gratitude but alas, we’ve made it to the part you all came here for. Those of you who’ve read all the content above, thank you for suffering through the chaos that is my stream of consciousness. And, to those of you who clicked the “skip” link the intro, F*** you. Just kidding, just kidding! Welcome, and I appreciate you guys for stopping in to read the blog.
February 28th, 2024, I passed the Practical Junior Web Tester certification (PJWT) from TCM-Security. To my surprise — and I hardly have the credentials to think so, I’ve had a number of aspiring penetration testers reach out to me on LinkedIn asking me if they should go for a Junior Level Certification or if they should jump straight into something like the CBBH. Short answer: If you struggle with confidence, procrastination, and are new to Penetration Testing (you’ll know what that means for you), go for a Junior Level Certification.
Expectations
The PJWT will provide you with a fundamental understanding of: Web Application Architecture, Core Principles of Web/APP Security & and an idea on how to utilize resources such as OWASP Top 10 to help distinguish differences between vulnerabilities. For example, the differences between XML External Entity (XXE) vs Cross-Site Scripting (XSS). Both inject malicious code and can “potentially” lead to similar vulnerably consequences. For example, chaining attacks to get a shell to exploit an Remote Code Execution (RCE) vulnerability. But their fundamental difference lye in how they interact with the application stack and how they operate on different layers. That is a bit more advanced than what the PJWT will touch on, but just provides you an example of useful resources like the OWASP Top 10 can be. Plus, doesn’t “getting a shell” just sound like some awesome hacker sh*t? Yeah.
Back what you you should expect from the PJWT. You’ll learn how to map a website for vulnerabilities, and what that looks like. You’ll learn how to use Pen Testing tools such as: NMAP, Burpsuite, Devtools(technically not a pentesting tool), and even simple python scripts. You’ll also learn things about the terminal which will make you feel really cool: curling web requests (GET/POST/DELETE/PUT), enumerating passwords & usernames using FUFF, SQLmap (for automated SQL Injections), dir.buster — and how to navigate the terminal with basic linux commands. But my favorite part was that the PJWT will teach you how to write a Security Assessment Report after finding the necessary vulnerabilities in the web application. However, I’ll admit the CBBH report was a whole other animal, you’ll get into CVSS ratings & how to use CWE when looking for specific vulnerabilities & potential chains.
Getting Started
Now depending on how new you really are to Pen Testing or maybe IT in general, the PPB course will go over a brief review all things that are Basic Information Technology essentials, for example: what an octet is in an IP address, how web application firewalls work (WAF), how the h*ll to properly set up “listening” servers PHP & Netcat — notice my emotional attachment to the last part, yeah — was confused for a long time on how it actually worked, rather than just plug&play. But even more important than all that, it will teach you how to set up your Penetration Testing environment. You’ll know how to set up virtual machines depending on the OS you’re running on (they’ve got videos for both). It’ll help you get started on Kali-linux (this is when you’ll really start getting an idea of whats to come). The rest, is just practice. Meaning the more you spend time on Kali and setting up servers, the easier it will become. You’ll eventually realize the importance of taking snapshots (if you’re one of those to really customize your Kali environment like me — terminal wallpapers anyone??).
Requirements
Unlike the CBBH & the completion of the path in order to take the exam, the Practical Bug Bounty (PBB) is not required to TCM’s PJWT. However, I highly recommend it. Everything you need comes directly from the content in the course, and I mean EVERYTHING you need. “Duuh” I can hear some of you saying, but too often are exam courses filled with filler content that aren’t necessary for competition of the exam itself. That kind of content should be labeled: “additional resources”. Unfortunately, INE is infamous for that kind of “filler” content today.
By now you should have an idea of what to expect, what the requirements are (if any), and if taking the PJWT is worth it for you. If all of the information about sounds familiar to you & you have experience with it already, I’d say go for the CBBH.
But, if not, I promise getting the PJWT or a similar level certification, will give you the confidence that is necessary for 99% of the aspiring penetration testers out there that are about to take on the beast that is the CBBH. Yet again, another example of how important a mentor is. Mine recommended that route, and I am so glad I did it. Because what’s to come will truly test you beyond your limits if you are as new as I was, and still am.
Is the title a flex, you bet your root’n toot’n socks it is. Am I proud of it, whole heartedly. Is it recommended? Absolutely not. Did affect my physical & mental health? Yes. Did I do it alone? F**k no!
This quick disclaimer is directed to the .5% of you that have lived your entirely lives in a “all or nothing” mentality. And, when I say the .5% I mean that they truly live life on such a dramatic tilt on the scale, that it can jeopardize their health & personal relationships. They’ve pulled of the impossible before and unfortunately their ego allows them to think they’re some kind of prodigy (and I’m FAR from that to be clear). Further more, without getting to personal, my situation was desperate to say the least, and is why I did it in the time frame I did. And, to be transparent, pulling off the impossible— and thats what this time frame was, especially to someone who didn’t even know how to use NMAP as recent as January 14th of this year — without the hacking community: forums.hackthebox.com, Module Write-ups (hence the paying it forward), and of course my direct network. I never would have been able to pull it off, while actually retaining the information at the same time.
However, this “Job-Role-Path” as it’s stated in the academy, is Imposter Demon proof. At first your demon will bask in your self-doubt the further you get, the more you will start to realize how far you’ve come and that you’re learning somethings some veteran Penetration Testers don’t even see in the field (as I’m told). So, doesn’t matter if you’re looking at the write-ups, asking for nudges from people (don’t make the same mistake I did by letting pride get in the way, ASK for help!! As soon as you need, don’t wait!!)— its impossible to get through it without knowing what you’re doing in some sense(unless someone simply does the work for you, but that’s not fun and you’re in a world of hurt for the Exam and any future endeavors in this field if you do that). My point is, take your time, if you have that luxury, if there is no gun pointed at your head, you don’t have a family to provide for, the banks are calling your phone, don’t rush this. Enjoy the process and keep your health & personal relationships healthy.
To my loving wife who sacrificed so much to allow me to study 12 hours a day, thank you and I love you. We’re so close to the finish line.
If I had to compress it into 2 words, other than the obvious (topics were just more advanced), it would be: Chain Attacks. Imagine having to find a vulnerability, okay go on . . . Now imagine using that vulnerability in order to exploit another vulnerability . . . okay and . . with the hopes that all the filter bypassing & all the random injections — all of them work together to get the “proof-of-concept” you’re looking for, only too then have to manually enumerate the flaw.
Let me give an example, there was a situation where I had to set up a listening server (via 2 different scripts), to “listen” for an injection I was trying to do on an input value (client-side) . . . with the catch that this injection is blind, with no indication that it was vulnerable. It provided the same error prompt all the other input fields did. Soooooo — yeah I’m getting worked up here, sorry — through tedious trial & error being what you had to go on, you had to by pass the blacklisting filter they had on file extensions ( i.e. uploading a “.svg” file with malicious code ) which then you’d FUZZ the extensions (possibly double extensions, yeah that’s a f**king thing), maybe even having to FUZZ the MIME types too; ONLY for the data to comeback encrypted (okay, that part is not so bad) but after decoding it, you realize that it was “encoded” at least 3 times, so you have to reverse engineer it back to it’s original state.
I made that sound more confusing than it really is, but for the sake of not giving away too much (hint hint hint) I had to do this for something recently. You’ll learn about this attack in the path, module:
FILE UPLOAD ATTACKS
https://academy.hackthebox.com/module/136/section/1259
Alright, some of you experienced hackers might be laughing at me, but to someone new, and to most that haven’t seen layers of attacks like that before, it’s pretty difficult stuff. This was literally beyond my realm of possibilities while taking the PJWT. So, when I say this is one of many examples that separate HacktheBox from other learning platforms —it provides you with an idea of what you’re getting into if you plan on skipping a Junior level cert — and are new to Penetration Testing. That said, this section is not to scare anyone, but rather to give you a reality check into what it will be like if you “Go For Broke” as the title suggested. Now that you properly hate me and are even more confused than before, lets talk modules.
You’ll find a theme in this blog: I thought this Path & Exam were REALLY hard. I still do. In fact, it’s part of the reason I am going to be doing the write-ups. Yes, it’s about giving back, but also, in NO way would I suggest that the content is inside of my memory recall. To put it simply, using the Feynman Technic (teach someone something to be sure you truly understand it) also known as the First Principles Method, I plan to make sure sure if I had to take the Exam again, I’d pass 10/10 times.
That said, Yes it is enough. In fact, geneiunlly necessary even during the Exam. While taking the CBBH exam ( 7days to hack & submit a report ) I found myself, damn near, re-taking the entire path. But it was also used as a great reference. While mapping the web application, you’ll want to have some kind of methodology in place. In fact, Rana Kahalil’s course (linked in the additional resource section below) has provided me an idea of setting up a kind-of “methodology” in terms of where to start and steps to take in sequence. It can be intimidating, especially this level of exam, to be told: “Hey, hack this, ummm figure it out, there are domains and stuff, and like . . . idk do your best”. Okay, the instructions weren’t that vague, they’d actually spell-out “i don’t know” but that’s what a “black-box” attack is. Here is the environment, here is your scope, don’t go outside of it, and find the vulnerabilities.
You’ll want to allocate time for these 7 days. If you can take time off from work, do it. Tell your friends that you’ll be going in the shadows and only call the cops on the 8th day for a wellness check (if they don’t hear back from you). Take each day as seriously as the next. Don’t slack the first few thinking you have time, and don’t let up if you start making progress fast and think it’s easier than you thought. It’ll creep up as the week comes closer to an end. But stick to the modules, take as many screenshots with quick bullet thoughts below while going through the BBH path, you’ll thank yourself later while taking the exam. Have the entire path up, 20 tabs if you need (unless you use chrome, then RIP). But in all seriousness, believe in yourself.
HacktheBox is quickly becoming the Industry Standard. With them recently releasing the CWEE (which is equivalent of them telling OffSec they are coming for the throne) and the level of critical thinking their Certifications require, it’s easy to see why now-a-days they’re certifications and job-roll-path completions are so highly respected amongst the OG’s.
So with this beign my first blog, ever, I don’t really know how to end it but abruptly. However, below you’ll find additional resources I used (but aren’t necessary) to help me prepare and get through the exam. Thank you all for wasting your time reading this garbage, but I hope it has helped at least one person out there get an idea of the next steps they want to take. It can be intimidating starting out, and especially if you don’t have a mentor or guide helping you make sure you’re on the right path. Just have fun, don’t go about it the wrong way, if you genuinely love this stuff, I promise you the universe will reward you with opportunities along the way.
Additional Resources:
*Garr’s Twitch Stream: https://www.twitch.tv/garr_7
*Rana Khalil Academy: https://academy.ranakhalil.com/p/web-security-academy-video-series
Udemy: https://www.udemy.com/
PortSwigger Academy: https://portswigger.net/
TryHackMe: https://tryhackme.com/
PenTesterLab Academy: https://pentesterlab.com/
Bengali (Bangladesh) · 
English (United States) ·