HTB CBBH/CWES Writeup
Originally published on my old blog (2025-10-09).
The HTB CBBH certification is now called CWES
Intro
This was my first certification in cybersecurity. I chose it because it’s a good certification for beginners seeking entry-level positions as web pentesters, and because it requires a written report, something the company I work for cares about. During my first attempt I managed to obtain nine out of ten flags and passed the exam.
Exam
After starting the exam, you have one week to complete it, and it is not proctored.
A letter of engagement is provided with all engagement details, requirements, objectives, and scope. There are five services with two flags each - ten flags total - of which eight must be found to pass the exam. Besides obtaining the flags, a professional report must be written and submitted. It is a black-box environment, and there are no limitations on tools or resources you may use (e.g., HTB modules).
Typically, one flag is obtained by bypassing authentication and taking over an account, and another flag is usually found via remote code execution and server access.
Compared to OSWA, it presents a different kind of difficulty: less time pressure but more bypasses, for example.
Preparation Tips
Work through all modules and make sure all tools are installed and work as intended. This ensures you have a working VM for the exam with everything prepared.
Take notes, especially on parts that are new and unfamiliar. For information you already know, just note down a few reminders. Taking notes is an individual matter, but I have some recommendations.
-
For each tool introduced, create a small cheat-sheet with the most important commands. Use this to look up tool usage if you forget something and to have an overview of all available tools. Add any of your own tools that are not introduced in HTB.
-
For each module, create a small checklist of what to test and how to exploit it. This will help when you’re stuck and don’t know what to test for anymore, and it ensures you tested everything for every service.
-
When the checklist for every module is done, make a master checklist that contains the titles of the notes for all modules so you can systematically work through everything.
Exam Tipps
It was definitely helpful to have prepared scripts and attack templates ready to execute, for example, XSS attack templates to save time, or a quick webshell for testing file uploads. Lists for brute-force attacks, scripts, payload generators, etc., can be configured in advance.
Write notes during the assessment to ensure you covered all topics in case you can’t find an exploit. Document everything: if something is exploitable, copy the payloads or commands used and take screenshots. This will make writing the report much easier.
Calculate how much time you can spend on each service, take regular breaks, and have good food and snacks ready so you don’t lose focus. Try to stay ahead of your schedule.
It’s fine to spend the first two hours checking out all the services to get a feel for how they work and where exploits might be. Take notes, document discoveries, and maybe find some easy flags. After that, focus on one service and try not to switch too often; though it’s a good idea to switch when you’re stuck.
Don’t overthink. Sometimes it’s really simple. Try another payload or test the idea again in a simpler way.
Good Luck!