HACK THE BOX Certification

@ch4p said:
@SirenCeol and @goutsou , to issue a cert that is aknowledged in the market, we need to grow more. Issuing certs like all those pen-test learning sites seems to me of no meaning. When the time comes we have plans on doing so, but we will be looking at it after the pro labs roll out for some time and after we have a more recognizable name.

Right now, we are thinking of offering a value-add to the VIP users that will be like an online professional profile suitable to be demonstrated on CV’s etc. that will include progress and also categorize skills based on machines owned, eg. Good on Exploit development or SQL Injections etc.

Sounds good dude

hello, it would be awesome to have an htb cert.

I’ll preface this by saying that I love HTB, and I’m not trying to disparage it. I hope this is viewed as advice and not an attack.

If HTB was going to do add a certification then another consideration is the “realism” behind machines. The OSCP is taken seriously because it reflects more of a corporate network - the lab has interdependent machines, multiple subnets, strongly discourages msf, etc’. The other element, probably the most important is that their machines, for the most part avoid things like a service there “just because” (they’re built out more, even if it’s a rabbit hole) and don’t tend to implement areas like stenography.

I don’t think HTB’s position in the market is as an “authority” like Offensive Security, and I don’t mean that in a bad way. I think HTB is more of a fun, less serious, competitive CTF. If I am stuck on a box, people will help. If I’m stuck on an OSCP lab machine, that won’t happen outside of resouces and links - and in both cases, that’s great. I don’t want my certifications watered down, but I also want to see an area in the market where people can progress from VulnHubs, and I see HTB filling that space.

A dashboard of achievements like CodeCademy or PenTester Lab’s certification implementation (as an addon without an exam, not the core focus) is a far better idea. It keeps the fun of the current lab, and also keeps HTB as a competitive platform, not a certification based one.

@codingo my point also. As I said, if certs are to be issued, they will be issued under the pro labs umbrella. Something that has a long way to go.

In the meantime, professional profiles is more or less what you suggest.

in that case, htb could make a final exam with private access for the session exam.

@peek said:
in that case, htb could make a final exam with private access for the session exam.

+1

Do we really need more certs in the info sec community?

@codingo said:

If HTB was going to do add a certification then another consideration is the “realism” behind machines. The OSCP is taken seriously because it reflects more of a corporate network

PWK/OSCP isn’t really a “corporate network”… They have 3 machines maybe that are part of the domain (i.e. they take domain credentials as login)… They do have 4 networks separated by firewalls that allow you to practice port-forwarding/pivoting but other than that, In my opinion HTB is very very close to the PWK labs and on top of that there are new machines all the time.

One of the other things about PWK (which they do a good job of) is making sure you do everything manually… This is an essential skill but there are some cons to this:

  • You aren’t able to get familiar with actual tools
    • Burp/Zap
    • Metasploit
    • Cobalt Strike
    • SET
    • PowerShell Empire
    • sqlmap
  • There is no Red Team aspect
    • Yes, this is a pen testing cert, but learning the IoCs and how to evade IDS/IPS would be a killer skill to have
    • Deeper understanding of the tools you use to find IoCs and help blue teams and incident handlers
    • Setting up persistence on devices

All in all with PWK you basically just learn the critical skill of following a methodology and you learn it in the best way possible. Struggling through OSCP was the learning experience of a lifetime… But the exploits and attack methods you learn are not realistic (as in relevant) anymore. You really won’t see a lot of that stuff in the wild.

Another consideration would be course material. That would be a lot of work (I would love to help!).

You are right about the CTF style stuff here in HTB though, not realistic but its an important skill to practice (it also keeps things interesting). But I’d rather not go through the another PWK/OSCP. Its important to keep things different enough because I don’t think trying to make another cert similar to PWK/OSCP would be a good idea.

I like Arrexel’s idea to just see whats happen. This is a really great service, growing really fast and pretty much everyone I know in the community has already heard of it.

@codingo said:

A dashboard of achievements is a far better idea. It keeps the fun of the current lab, and also keeps HTB as a competitive platform, not a certification based one.

I also very much agree with this.

Achievement points… more addictive than crack. Great post btw @day1player

Although I think we’re mostly in agreement on the HTB approach @day1player I do want to touch on your points regarding the OSCP:

- You aren't able to get familiar with actual tools
- Burp/Zap
- Metasploit
- Cobalt Strike
- SET
- PowerShell Empire
- sqlmap

This isn’t correct - you can use Burp Free/Zap as far and wide as you want, Metasploit on a single machine in the exam (and handlers everywhere), or as much as you want in the labs and although you can use the others in the labs (sqlmap / powershell empire), you won’t need to. Cobalt Strike is just a wrapper for metasploit anyway (and a ■■■■ expensive one at that) - the point of OSCP is the core understanding so it has no relevance there.

- There is no Red Team aspect
- Yes, this is a pen testing cert, but learning the IoCs and how to evade IDS/IPS would be a killer skill to have
- Deeper understanding of the tools you use to find IoCs and help blue teams and incident handlers
- Setting up persistence on devices

It’s important to remember that OSCP is a beginners qualification that’s aimed at teaching enumeration and basic exploitation. This would all be great, but it would deviate from that ideal.

Struggling through OSCP was the learning experience of a lifetime.. But the exploits and attack methods you learn are not realistic (as in relevant) anymore. You really won't see a lot of that stuff in the wild.

A lot of the exploits, no. But some of it I still see. You’d be surprised how many organisations (retail, health) are still running extremely old systems. The web skills you learn are all particularly prevalent on internal applications that you come across. Plus people still run SMB1, even after the year we’ve had…

@codingo Yes you’re right about a lot of that for sure. You do have the ability to use that stuff if you wish but its not needed to crack the machines. When I went through it I was focused on doing everything manually, because thats pretty much the purpose of the PWK, and I avoided the tools.

A lot of people who take the PWK course will apply the rules of the exam to the labs themselves in order to practice, as did I. With the limited amount of time you have in the labs to learn the manual way, its not realistic to also learn all of the tools in the same amount of time.

Which is where HTB/Vulnhub comes in. I’ve actually been using tools a lot more in HTB which is pretty cool.

@codingo said:
It’s important to remember that OSCP is a beginners qualification that’s aimed at teaching enumeration and basic exploitation. This would all be great, but it would deviate from that ideal.

In response to this about the Red Team aspect; yes you’re right, which is part of the reason I bring it up. OSCP already does a great job doing the beginners stuff, lets just let them do what they do best. I really wanted to identify what PWK/OSCP lacks, thats the stuff that could be incorporated into a next level platform. I wouldn’t want to see other labs competing with Offsec, I’d rather see them build on top of it. Pen Testing is hugely different than Red Teaming, and Offsec doesn’t teach Red Teaming.

@codingo said:
Cobalt Strike is just a wrapper for metasploit anyway (and a ■■■■ expensive one at that)

Cobalt Strike is not a wrapper for metasploit. Its actually not a pen testing tool per say, but more of a Red Team tool. It also only targets Windows machines (for now) and does a ■■■■ good job of it. CS offers pretty great C2 capabilities and offers a much better platform for persistence during an engagement. The point of CS is to be able to move around a windows domain, passing hashes, finding files, enumerating things and “living off the land” etc. It is not an exploitation framework, though it does have some exploit capabilities.

Also as to how expensive it is, you can get a copy for free at home if you have a .edu email address, and also Mudge (creator of CS) posted a tutorial on how to crack CS for those that don’t want to pay for a license.

All fair points, sounds like we’re on a similar page although I personally don’t think a red team certification would add much value to a market that tends to teach those skills in the field - I’m happy to be proven wrong though. I’m certainly misinformed about Cobalt Strike - will need to spend today adding it to my playbooks :slight_smile:

have you decided something ?

This isn’t a good idea.

OSCP develop the distributions incorporating tools and are therefore able to develop a curriculum that can gauge ones ability in using these in real environments. The reason OSCP is so recognized because OSCP are the authority because they are the distributors.

Not very useful having a certificate that says you’ve achieved X on HTB or any other site, because they can make up any curriculum and marking scheme they like…?

Go get an OSCP cert if you want a cert lol.

HTB is one of the single-best free services I’ve ever had the pleasure to use in my 25 years online. All the team are a great credit to themselves. I think a certification would be a great idea - but perhaps changing the cert name to something more “industry sounding”.

many people cant afford OSCP $700-$1100; we spoke about a special box for htb cert.

@peek said:
many people cant afford OSCP $700-$1100; we spoke about a special box for htb cert.

I like the certification box idea. :+1:

@peek regarding OSCP, lets take into account that you don’t pay $700-$1100 for a certification. You pay it for the course (that is a pretty good one) and the course results in a certification. Even CEH Certification exam that is one of the highest in price costs around $250 while OSCP exam retakes cost around $90.

Imagine now being able to take the OSCP cert directly by paying $90 for the certification exam. Do you believe it would have the same gravity in the industry as it has now? I bet not.

I like the certification idea and actively looking at ways to make it a reality, although I do not want to offer a certification just for the certification. If a cert is to be made, it should either be very difficult to really bring forward the best talents or be accompanied by a very good course to train better professionals (or even both).

Until then, I am working on a Pro Profile page (VIP Feature) that will present the users skills in a more professional way, suitable to be added to a CV and verified from our website.

I welcome your thoughts on the above.

Do you believe it would have the same gravity in the industry as it has now?
does the industry know HTB is superior^3 to oscp
what ?
:slight_smile:
with that out of the way, I like the idea of “Pro Profile page”, keep up the good work.

I just meant that many people cant afford that; I hope industry knows htb if they are serious and updated. And good for Pro Profile.