The Certified Bug Bounty Hunter, or the CBBH, is pretty explicitly marketed towards bug bounty hunters. So is it still worth looking at if you're going for a pentesting role/planning on doing the CPTS?

TL;DR: Yes👍

Overview

The CBBH is a certification offered by HackTheBox that requires a candidate to first complete the associated Bug Bounty Hunter Path, before attempting an exam that assesses everything learnt in the course.

It's tailored towards beginners and focuses exclusively on web apps, unlike the CPTS which also covers additional topics like attacking networks and Active Directory. This isn't necessarily a bad thing as what it lacks in breadth, it makes up for in depth.

Relevance of CBBH to Professional Pentesting

It's very relevant.

CBBH only covers web applications. Content learnt in it therefore is only really useful when conducting assessments of web applications - however web applications come up pretty regularly.

In saying that though, the modules tend to emphasise high-impact attacks - privilege escalation and system compromise. In contrast, real world testing is less about 'finding a flag' and more about proving the existence of a vulnerability and the impact it could have on your client if exploited.

The 'less exciting' vulnerabilities like an IDOR that just lets you read another user's hidden blog post can be just as important to identify depending on the data being read.

Additionally, not all modules reflect modern web realities. Modern web frameworks do a lot to eliminate whole vulnerability classes, and some flaws are rare because few applications use the languages they depend on. Niche knowledge is good to have, but you’ll likely find XSS far more often than, say, XSLT.

Modules Most Relevant to Pentesting

You may find other modules more interesting/relevant, but these were the ones I found were most useful or I believe would be most helpful for someone starting in this field.

• Introduction to Web Proxies - 90% of your time when testing web applications will be spent in Burp Suite. Being comfortable working with Burp is extremely important in making sure your time is spent actually testing instead of fighting it and trying to figure out how it works.
• Broken Authentication - Authentication related vulnerabilities are generally always high impact as they can allow an attacker to impersonate other users, access more of the application and therefore potentially sensitive information. Though you likely won't be spending too much time brute forcing passwords, knowing to test for issues with authentication is extremely important.
• Cross-Site Scripting (XSS) - Being able to recognise, exploit and explain the potential impact of XSS is compulsory for any pentester. It's also the first 'real vulnerability' the course path covers and stands as a good introduction into the type of stuff that can go wrong in modern web applications.
• SQL Injection Fundamentals/SQLMap Essentials - Good introduction to server-side vulnerabilities, though having some basic knowledge of SQL syntax beforehand can help. The module unfortunately doesn't cover Blind SQL Injection so it's worth doing your own research or additionally taking the similarly named module HTB also offers.
• File Upload Attacks - The module covers a good array of different attacks you can try to upload a file type that might appear banned on the surface, as well as why you should care about this in the first place. PHP apps aren't super common in real testing though so you (unfortunately) probably won't be getting RCE.
• Web Attacks - Covers a range of different kinds of vulnerabilities and attacks that are pretty common. IDOR and XXE in particular are fairly common and very easy to spot once you know what they look like.
• Attacking GraphQL - This is a new mini-module added as part of the overhaul to CWES. GraphQL is fairly common and it's a good introduction to how it works and potential exploits.

Learning Beyond CBBH

The CBBH is pretty basic when it comes to learning about testing for broken access control and I'd recommend you spend additional effort learning this.

After completing the course and certification, its also worth looking into the CWEE as it builds directly on top of CBBH. It expands on previously taught content and introduces new, more complex vulnerabilities.

Course Module & Exam Tips

• Use the HTB forums if you get stuck for too long on a challenge - most challenges have some hints that past takers have left you can refer to for a push in the right direction. If you're still stuck, you can join the HackTheBox Discord and ask for further help there.
• Make Notes During The Exam. You will be expected to write a report at the end detailing your attack chain for every vulnerability you identify. Whenever you finish a question, write down as much detail about it as you need to be able to reliably replicate the attack at a later time. Simply recording the flags is not enough for a pass, and if your exam environment crashes for any reason (like mine did, right at the end...) you'll be glad to have them.
• KISS (Keep It Simple, Stupid) - If you're digging into a rabbit hole trying to solve a challenge you're probably doing something wrong. Nearly everything you need to solve every challenge is in the course content already, you just might need to do some thinking outside of the box. Don't be afraid to retry exploits you thought you covered already as well.
• You have several days to do the exam - don't neglect your health. Make sure to eat, get enough sleep and touch some grass occasionally. Remember you have two attempts at the exam as well per voucher, you don't have to pass the whole thing first try.
• Finally, don't forget to enumerate if stuck.