Open in app

Sign in

Write

Sign in

My HTB Certified Web Exploitation Expert (CWEE) Journey

Yudistira Arya
5 min readMay 15, 2024

--

I recently passed the Certified Web Exploitation Expert (CWEE) from Hack The Box. Here i want to share my journey from completing the Academy Path to the Exam itself.

About Me

My name is Yudistira Arya, also known as “lordrukie” or “beluga” on social media. I work as a full-time security consultant at Vantage Point Security Indonesia from 9 am to 6 pm. I’m also an undergraduate student at Binus University (online learning) and usually participate in CTFs on weekends with my campus team, PETIR.

I have a background in web exploitation, as I focused on web challenges while playing CTFs. During my time in the HTB academy, I also developed a few CTF challenges, which made the academy period take a bit longer than I expected.

Background

For some background, HTB Certified Web Exploitation Expert (HTB CWEE) is a highly hands-on certification that assesses candidates’ skills in identifying advanced and hard-to-find web vulnerabilities using both black box and white box techniques. HTB CWEE certification holders will possess technical competency in the web security, web penetration testing, and secure coding domains at an advanced level and be well-versed in the application debugging, source code review, and custom exploit development aspects of web security testing. They will also be able to professionally conduct web penetration tests against modern and highly secure web applications, as well as report vulnerabilities found in code or arising from logical errors.

Source: https://academy.hackthebox.com/preview/certifications/htb-certified-web-exploitation-expert

In order to take the exam, users need to complete the HTB Academy Path. The path consist of 15 modules and 245 sections. HTB set an estimated time of 27 days to complete the path.

You can check the detailed information here https://academy.hackthebox.com/paths/jobrole

Preparation — Academy Modules

I bought the Golden Annual Subscription, which gave me access to all the modules and an exam voucher. I started the modules on March 22, 2024, and finished them on April 10, 2024, taking about 27 days to complete everything.

I had a lot of fun during this period. The modules are well-designed with practical labs. In some modules, the labs were more challenging than the material itself, which I found beneficial as it pushed me to do my own research and look for additional references online. This approach made the labs take longer to complete, but it was worth it.

I shared my progress on Facebook, so if you’re on my friend list, you could see how long it took me to complete the modules xD

The Exam

Some Information

  • Obtain 90/100 Points to pass the exam
  • Flag are obtained from High-Privileged User and Command Execution within web servers.
  • Target approach may differ. Some target requires white-box while others requires black-box approach
  • All vulnerability have been covered in the academy modules.
  • Users may chain several vulnerabilities to obtain flag
  • Exam duration is 10 days (including reports)
  • Consists of three targets (domain) with several subdomains
  • The exam required candidates to develop their own exploit scripts for vulnerabilities that needed automation.

I took the exam on April 28, 2024, and I managed to achieve full points within three days, by May 1.

I solve all the white-box targets within the first day and a half. The most challenging part was tackling the black-box targets, which took me about a day and a half to find and exploit the vulnerabilities.

How did I do it? As a CTF player, I frequently engage in source code analysis, which was immensely helpful in identifying vulnerabilities in the white-box targets.

After that.. The report.

The Report

CWEE is a unique exam. You must include the fixed code for the white-box target, which was the hardest part for me since it was my first time doing white-box reports. Additionally, you need to provide all the exploitation scripts you developed during the exam. Like many other hackers, I don’t enjoy writing reports much. I finished the report just two hours before the exam ended.

The report is written in Markdown format. HTB provides some sample reports, but you can also create your own.

The report must be as detailed as possible. Based on the sample report, users need to at least :

  • Create Vulnerability Background
  • Determine CVSS Score (using CVSS 4.0)
  • Create Vulnerability Description
  • Explain how did you find the bugs with detailed information such as file name, line of blocks, why it is vulnerable, etc.
  • Provide with recommendation and patched code.
  • Provide with Vulnerability References.

The Waiting

After successfully creating the report and submitting it to the HTB, i waited for around 5 days before i got this exciting email

Tips & Advice

  • Actively participate in CTFs to gain as much experience as possible with source code reviews.
  • Don’t skip any of the academy material, as all the exam vulnerabilities are covered there.
  • Don’t overlook the scripting section. You’ll need to create your own scripts during the exam.
  • Some modules have their own white-box challenges. Set up a mini lab on your computer and experiment with the code to better understand the programming language and the vulnerabilities.
  • Establish a methodology for black-box testing. For instance, determine your approach when encountering user input or an upload function.
  • The exam is not more difficult than the academy’s final labs. If you can easily complete those labs with your own skills, you should be well-prepared for the exam.

Contact

If you want to contact me, you can hit me up on LinkedIn, Telegram, or Discord at @belugagemink.

Htb
Cwee
Certification
Hacker
Web Exploitation

--

--

Yudistira Arya

Written by Yudistira Arya

80 Followers

Normal IT Guy

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams