HACK THE BOX Certification

@codingo Yes youā€™re right about a lot of that for sure. You do have the ability to use that stuff if you wish but its not needed to crack the machines. When I went through it I was focused on doing everything manually, because thats pretty much the purpose of the PWK, and I avoided the tools.

A lot of people who take the PWK course will apply the rules of the exam to the labs themselves in order to practice, as did I. With the limited amount of time you have in the labs to learn the manual way, its not realistic to also learn all of the tools in the same amount of time.

Which is where HTB/Vulnhub comes in. Iā€™ve actually been using tools a lot more in HTB which is pretty cool.

@codingo said:
Itā€™s important to remember that OSCP is a beginners qualification thatā€™s aimed at teaching enumeration and basic exploitation. This would all be great, but it would deviate from that ideal.

In response to this about the Red Team aspect; yes youā€™re right, which is part of the reason I bring it up. OSCP already does a great job doing the beginners stuff, lets just let them do what they do best. I really wanted to identify what PWK/OSCP lacks, thats the stuff that could be incorporated into a next level platform. I wouldnā€™t want to see other labs competing with Offsec, Iā€™d rather see them build on top of it. Pen Testing is hugely different than Red Teaming, and Offsec doesnā€™t teach Red Teaming.

@codingo said:
Cobalt Strike is just a wrapper for metasploit anyway (and a ā– ā– ā– ā–  expensive one at that)

Cobalt Strike is not a wrapper for metasploit. Its actually not a pen testing tool per say, but more of a Red Team tool. It also only targets Windows machines (for now) and does a ā– ā– ā– ā–  good job of it. CS offers pretty great C2 capabilities and offers a much better platform for persistence during an engagement. The point of CS is to be able to move around a windows domain, passing hashes, finding files, enumerating things and ā€œliving off the landā€ etc. It is not an exploitation framework, though it does have some exploit capabilities.

Also as to how expensive it is, you can get a copy for free at home if you have a .edu email address, and also Mudge (creator of CS) posted a tutorial on how to crack CS for those that donā€™t want to pay for a license.

All fair points, sounds like weā€™re on a similar page although I personally donā€™t think a red team certification would add much value to a market that tends to teach those skills in the field - Iā€™m happy to be proven wrong though. Iā€™m certainly misinformed about Cobalt Strike - will need to spend today adding it to my playbooks :slight_smile:

have you decided something ?

This isnā€™t a good idea.

OSCP develop the distributions incorporating tools and are therefore able to develop a curriculum that can gauge ones ability in using these in real environments. The reason OSCP is so recognized because OSCP are the authority because they are the distributors.

Not very useful having a certificate that says youā€™ve achieved X on HTB or any other site, because they can make up any curriculum and marking scheme they likeā€¦?

Go get an OSCP cert if you want a cert lol.

HTB is one of the single-best free services Iā€™ve ever had the pleasure to use in my 25 years online. All the team are a great credit to themselves. I think a certification would be a great idea - but perhaps changing the cert name to something more ā€œindustry soundingā€.

many people cant afford OSCP $700-$1100; we spoke about a special box for htb cert.

@peek said:
many people cant afford OSCP $700-$1100; we spoke about a special box for htb cert.

I like the certification box idea. :+1:

@peek regarding OSCP, lets take into account that you donā€™t pay $700-$1100 for a certification. You pay it for the course (that is a pretty good one) and the course results in a certification. Even CEH Certification exam that is one of the highest in price costs around $250 while OSCP exam retakes cost around $90.

Imagine now being able to take the OSCP cert directly by paying $90 for the certification exam. Do you believe it would have the same gravity in the industry as it has now? I bet not.

I like the certification idea and actively looking at ways to make it a reality, although I do not want to offer a certification just for the certification. If a cert is to be made, it should either be very difficult to really bring forward the best talents or be accompanied by a very good course to train better professionals (or even both).

Until then, I am working on a Pro Profile page (VIP Feature) that will present the users skills in a more professional way, suitable to be added to a CV and verified from our website.

I welcome your thoughts on the above.

Do you believe it would have the same gravity in the industry as it has now?
does the industry know HTB is superior^3 to oscp
what ?
:slight_smile:
with that out of the way, I like the idea of ā€œPro Profile pageā€, keep up the good work.

I just meant that many people cant afford that; I hope industry knows htb if they are serious and updated. And good for Pro Profile.

@ch4p said:
@peek regarding OSCP, lets take into account that you donā€™t pay $700-$1100 for a certification. You pay it for the course (that is a pretty good one) and the course results in a certification. Even CEH Certification exam that is one of the highest in price costs around $250 while OSCP exam retakes cost around $90.

An OSCP retake costs $60 and the CEH is over $900 nowā€¦ which is absolutely insane for what you get out of the CEH(nothing).

As for teaching red team skills, trust me when I say that everyone here who hasnā€™t been a part of an actual NSA accredited red team wants absolutely nothing to do with a redteam related certification. It would be 85% reading/creating documentation and then 15% actual pentesting.

@lowpriv said:

@ch4p said:
@peek regarding OSCP, lets take into account that you donā€™t pay $700-$1100 for a certification. You pay it for the course (that is a pretty good one) and the course results in a certification. Even CEH Certification exam that is one of the highest in price costs around $250 while OSCP exam retakes cost around $90.

An OSCP retake costs $60 and the CEH is over $900 nowā€¦ which is absolutely insane for what you get out of the CEH(nothing).

As for teaching red team skills, trust me when I say that everyone here who hasnā€™t been a part of an actual NSA accredited red team wants absolutely nothing to do with a redteam related certification. It would be 85% reading/creating documentation and then 15% actual pentesting.

interesting to know

@Arrexel said:
I suggested this a few months ago. It is a bit soon yet, but I could definitely see it if we could get some good material together and a private lab for certifications, after we grow some more. Who knows what the future might bring :slight_smile:

I think the gamification element is better, maybe some events would be a better way to go for that. Winning an event or placing an event is as good as a cert in this industry, maybe itā€™d be harder for a recruiter to understand/get but since this is always evolving it doesnā€™t really work with ā€˜getting a certā€™ as thatā€™s a bit final - in my opinion. OSCP already offers the basics, I see HTB as a place to compete and learn.

Speaking of certs has anyone been ballsy enough to claim HTB lab time for CEUs for CISSP or the like?

Iā€™m just gonna order stickers of my badge and put it on my resumeā€¦

Haha, no for real though I can see this being a thing. The issue (as with the OSCP now) is validation of you being the one that passed the test or requirements or whatever it ends up being.

I got my OSCP back in Jan and it was right before they started pushing the pilot for the video proctoring of the test. It was becoming too apparent that people were cheating the test apparently and now they need to enforce some sort of validation.

I will say on the other hand, if you were to tell me you even had an account here when in an interview my ears would perk up immediately. It shows you really care just about the learning and the challenge. The OSCP is starting to almost become required and its check the box (a great one, donā€™t get me wrong on that) but HTB on the other hand is just a sign that you take the time to keep getting better, you want to learn and hone your skills. And that is really what matters.

So actually, ā– ā– ā– ā–  yeahā€¦ Throw your badge on your resume F* it.

@Rantrel said:
Iā€™m just gonna order stickers of my badge and put it on my resumeā€¦

Haha, no for real though I can see this being a thing. The issue (as with the OSCP now) is validation of you being the one that passed the test or requirements or whatever it ends up being.

I got my OSCP back in Jan and it was right before they started pushing the pilot for the video proctoring of the test. It was becoming too apparent that people were cheating the test apparently and now they need to enforce some sort of validation.

I will say on the other hand, if you were to tell me you even had an account here when in an interview my ears would perk up immediately. It shows you really care just about the learning and the challenge. The OSCP is starting to almost become required and its check the box (a great one, donā€™t get me wrong on that) but HTB on the other hand is just a sign that you take the time to keep getting better, you want to learn and hone your skills. And that is really what matters.

So actually, ā– ā– ā– ā–  yeahā€¦ Throw your badge on your resume F* it.

+1

I donā€™t think a cert is necessary. Some people do cheat on htb for ranks (although idk why) but trying to add a certification sounds like it would add too much baggage with it tbh. HTB already has the street cred of being the best (free) platform for pentest training/pentest ctf so I donā€™t think thereā€™s much point to it. (In my opinion)

I would absolutely love to have a specific set of challenges that HTB makes a Cert for. I will be even be okay if you have to pay to take it (I am thinking of a system like
RastaLabs). It would stand out on resumes and I would of course love to do it, especially just as a challenge to test myself.

@RedTeamIntern said:
I would absolutely love to have a specific set of challenges that HTB makes a Cert for. I will be even be okay if you have to pay to take it (I am thinking of a system like
RastaLabs). It would stand out on resumes and I would of course love to do it, especially just as a challenge to test myself.

+1 but I also agree in some other comments HTB is BY FAR with pentestit.ru the best you can find for free and with out going to a world wide competition like the defcon ones and others. So if we force people to cheat then the value will go down, even do also is true that we can make a anti cheat system of some sort.

@Rantrel - Iā€™d proudly add this to my LinkedIn. I will do eventually, no doubt. I value this learning over any reading/CBT Iā€™ve done. I will sign up for OSCP eventually, 24 hours on cam doesnā€™t bother me, if anything Iā€™d add ā€œvideo proctoredā€ on my CV/LinkedIn as I think it adds value to it as itā€™s been heavily abused prior to this.

If HTB did do some certification, Iā€™d probably do it but I want something more continual than something one off, this industry is evolving, it needs continual professional development and thatā€™s why CEH and CISSP puts me off - itā€™s a binary pass/not pass and itā€™s heavily abused with braindumps for that reason.