Ethical Disclaimers

Before beginning, I need to disclose a few things here. First off, this is only a review for the Bug Bounty Hunter Path within Hack the Box Academy, and therefore does not include certification itself. I had decided against taking the certification, so I do not want to misrepresent what this post covers. Secondly, I covered payment for this course in it's entirety. As of publishing date, I have not received any compensation from Hack The Box, my employer, or anyone else for furnishing this review. The thoughts and opinions expressed here are mine, and mine alone.

Thoroughly Embarrassing Myself

Some of you who have read my previous reviews or posts may be thinking, "WinteKnight, I thought you were working on Port Swigger Web Security Academy? and MalDev Academy What gives? What happened?" Well, A job hunt which has been in progress for 20 months is what happened. That, and taking up some CCDC related responsibilities. I was struggling to understand the content of Port Swigger Web Security Academy, due to a lack of a solid foundation. I had more questions than answers, and then came to a crossroads. Either stop working on WebApp stuff, and re-focus on Windows internals and Maldev, or come up with a new strategy to learn Web App.

I then had a few job interviews for an IoT Product Security position, and that position was unexpectedly fairly web heavy. I completely flopped an interview, and was then ghosted by the employer until my application was thrown out a month or so later. I was mad at how I performed, so I did what usually I do when I get mad at myself and fixed the problem by throwing myself into self-betterment. I knew that Port Swigger wasn't working for me, because it makes the assumption that you know the basics of web applications and testing the, in their material (Or at least did, when I looked at it last in April 2024). I decided I needed to re-center training efforts, and came down to 2 options. Either WEB-200 from OffSec which I wasn't enthusiastic about. (Check out my OSCP review for how exactly I feel about OffSec.) Or give Hack The Box Academy a run, which is what I eventually decided to do.

The Academy Platform

For those who are unaware, Hack The Box (HTB from now on.) is known for, well having boxes to hack. They are probably the largest CTF platform today and a few years ago decided they wanted to offer training and certifications, which became the Academy. One of the differentiating factors of HTB is that it's a gamified platform. They emphasize the competition between players everywhere, with leader boards, credit for solving challenges first, learning streaks, graphs to show progress, and an emphasis on sharing on social media. Also, the platform has a legitimately cool feature of showing what Academy modules map to which boxes in the main CTF platform and vice versa.

The academy itself is organized by atomic, specific modules sorted in a variety of ways to help guide students on what they want to learn. The module itself will be focused on a particular topic like "Cross Site Scripting", "Logon Brute Forcing", or "Hacking WordPress" with the modules being sorted by "Offensive", "Defensive", and "General". Complete with Diablo-style balls which fill as you complete more of the modules in those categories. However HTB Academy also has Paths, which is where the platform shines in my opinion. There are 2 types of Paths. Skill Paths, and Job Role Paths. Skill Paths are essentially logical bundles of modules to provide cover a topic more broadly. These would include "Local Privilege Escalation", "Intro to Binary Exploitation", or "SOC Analyst Prerequisites", amongst others.

Job Role Paths are the paths needed to train for one of the HTB Certifications. Certified Penetration Testing Specialist (CPTS), Certified Bug Bounty Hunter (CBBH), Certified Defensive Security Analyst (CDSA), and Certified Web Exploitation Expert (CWEE) at time of publication. As previously mentioned, this review only covers the Bug Bounty Hunter Job Role Path. The reason why I decided against taking the certification exam is because I don't exactly love web application pentesting, so I don't want to make it look like they're my bread and butter. I like systems and network pentesting significantly more. The training goals were to essentially not be useless at testing web applications and to figure things out if I need to cover for a tester who takes halfway decent notes. Anyways, once you enroll in a Path, it shows up on your homepage when you log in, with progress for each module shown. Some modules also count for multiple Paths, meaning if you take a module for the Bug Bounty Hunter Path, and it's also available on the Penetration Tester Path, you get credit for both. The Bug Bounty Hunter Path has about a 33% overlap on the Penetration Tester Path. So, if you were thinking about getting the Penetration Tester Path after finishing the Bug Bounty Hunter Path, you can skip over work you previously did with the Bug Bounty Hunting Path.

Finally, before diving in further I want to discuss cost. Cost on HTB Academy is a little weird, due to the gamification and atomization of the platform. (Is that a word? It is now.) You have to attach a credit card to your account, and either purchase Cubes, at a rate of $1 USD to 10 Cubes, or purchase a subscription. I purchased Cubes on an ad-hoc basis. Personally, I don't love the idea of my credit card just sitting on the site, ready to purchase Cubes or an exam voucher with a literal click of a button, pop-up, and a second button. I wish this was gated a little better. Anyways, getting a subscription either gives you access to all Tier 2 or Tier 3 modules (depending on what subscription level you pay for), CPE submission, and a step-by-step solution guide. This is a good place to explain the last important sorting method, which are Tiers. So, cost per module is tied to what Tier it is attached to, and Tiers range from 0 to 4. Finally, HTB Academy does something interesting to keep you on task with your modules. It drip feeds you Cubes as a reward for completing modules, which effectively works out to be a slight price reduction, assuming you finish the module.

Here's price table per module:

The total number of Cubes required for the Bug Bounty Hunter Path at 1410, giving you a total of 330 back by the end of the Path. This makes the cost of training to be extremely reasonable, at $141 before Cube refunds, or $108 after. If you choose to get certified, it's $210 additional. No Cubes can be used to purchase the exam to the best of my knowledge. Each exam voucher grants you 2 attempts, and you'll have 7 days to complete the exam. Passing the exam happens when a certain number of points are reached and a report submitted. This sounds reasonable to me! However, I need to stress I did not go through the exam process. So that's about all I can say.

Alright, enough rambling. How are the modules?

Well, they were mostly good, with some exceptions. HTB uses a community driven approach for the Academy, and you can see who wrote each module on the details page before purchase. This leads to some inconsistencies in quality, and teaching style. The differences in teaching style is not inherently a problem, but it is noticeable. The quality hit is a problem, but I will touch on that later. The Path charts out a series of modules, but since they are atomic, you can deviate from the presented order if you wish. The first 3 modules in the Path, Web Requests, Introduction to Web Applications, and Using Web Proxies were excellent at establishing a foundation, which is what I needed most. I found those modules to be of high quality, and no complaints from me there.

The next one, Information Gathering - Web Edition was one I had to take twice-ish. I struggled with some of the DNS recon they have you do in the module, and this was the first module I felt the material could have been better. However, they updated the module after I completed it, and the new material was significantly improved. I will note that my Skills Assessment in that module has a bug as it kept my old answers in there and I think they changed the questions but kept my formerly correct answers in my text box. It confused me initially before I saw I still had 100% completion in the module after going through the new material then I moved on. The next series of modules, using ffuf, JavaScript Deobfuscation, were unique and I have not seen them covered in other mainstream platforms. These modules were quite good as well.

From there, there was a lot of overlap with OSCP content is the course covered XSS, SQLi, Command Injection, Malicious File Uploads and File Inclusion. Then some additional attack vectors which are web-specific. This includes SSRF, CSRF, IDOR, Session security information, SOAP and REST APIs. Generally speaking, material was very clearly presented, the challenges were fun, and I didn't run into any significant bugs (unlike OffSec's). You can also choose to use Pwnbox, or VPN into the academy with your own VM if you wish. The modules are well organized, on topic, and of a high quality. They push you to learn and use the given platform effectively. I think these were well made. Good job module writers.

I have gripes with 2 modules however, and both were made by the same team. RiotSecurityTeam's modules, Session Security and Web Service & API Attacks. The way they use the HTB platform seems, suboptimal in my opinion. Instead of giving you information and then challenging you on it like the rest of the modules, they have you work in the lab alongside the instruction. This isn't inherently a problem, but I feel as though this is a crutch as the content doesn't do nearly as good of a job explaining why things are set up the way they are, or what the payloads are doing exactly. Then instead of challenging you at the end of that content like the rest of the modules do, for some reason they have you put in multiple choice answers in the flag box. Why is it like this? It's weird and It feels like a wasted opportunity.

Another quality issue for example. in the API module, the skills assessment has you exploit a SOAP API endpoint but the module doesn't cover how to determine what needs to be in your SOAP call. It just has you copy a payload over from earlier in the module, then make a few tweaks from a different payload earlier in the module, then use that with a SQLi to get the flag. Finally, just because I don't know where else to put it, PLEASE. Hack the Box. PLEASE strip whitespaces from pasted flags before processing them. I had so many flag submissions be rejected because of spaces at the end of a pasted flag. This was killing me. It's minor but super annoying. A trailing space at the end of my flag should not cause it to be processed as false.

Worth it?

For $141, its absolutely worth it. It's way better than most Udemy courses, which tend to live in this price range. It's also way cheaper than OSWA, and I really, really like the way that Hack The Box is putting their spin on the offensive security training space. Well done HTB, you are getting more of my time and money on the platform. If/when you release an OSEP competitor, I am very likely to take it. The exam too, this time. No training platform is perfect, but you are the closest we have. The Path was well made, the platform has great ideas, and you will continue to get my business.