TBHM Live Training with Jhaddix

Attending The Bug Hunters Methodology Live training by Jason Haddix was a great experience. I think my goal with writing this post is really to paint a picture of my overall personal experience being new to Bug Bounty Hunting, coming from the Blue Teaming side of things, and to just give this course an honest review.

Quick Overview of my Experience:

  • Navy for 11 years on submarines
  • Been doing CTF’s like TryHackMe and similarly related things for 4 years.
  • Mostly focused on Red Team Network Penetration testing and kind of ignoring the web side of things.
  • Now, I have been working as a Detection and Response Analyst in a SOC for the past 2 years.

TBHM Review

Signing up for the course was fairly simple, I follow Jason on LinkedIn so when he posted a link to his course, I signed up. At the time when signing up it was on the Gumroad platform, I am pretty sure this has changed though.

  • Price: $550.00

NOTE: I think it is important to mention that this course is constantly being updated and things are subject to change very often.

I was part of Cohort 3, if I’m not mistaken will be the last Cohort that will pay the $550 price tag. I am pretty sure that the new price tag will be around $800 some odd dollars. Regardless, I still would have paid it to get the information and benefits that are provided in this course.

After you pay you immediately get an invite to the private Discord server, which in its own right may be worth the money paid by itself. The private Discord server has a constant flow of information that Jason and all the people that are part of the server share on a daily basis, not to mention most everyone in the private Discord are top tier hackers with great advice! Jason also offers exclusive content that he puts out only on the private Discord server and a monthly bug hunt is conducted as well.

The monthly Bug Hunt is really cool. Basically, each month everyone votes on a target that is part of a Bounty program. Once the target is picked Jason and the people he works with Roll4Combat, Golden, and others perform their reconnaissance on the target. Once they are done with the reconnaissance, they post the results in the private Discord. You are then able to take all the information that they found and go hunt bugs and collaborate. Jason is known for how deep he goes in his reconnaissance, you really get to reap the benefits of his experience here as well as all of the paid API keys that he has, you probably do not.

The TBHM Live Coarse

The day of the class you receive an email with a Zoom link to join the class. This is supposed to be a 2-day 8-hour a day class, but Jason usually goes over time to get as much information out as possible and answer questions. So, that being said I would set aside about 9 to 10 hours each day for the course.

Day 1 Reconnaissance

The fist day of class is a no holds bar, deep dive into reconnaissance that covers pretty much everything you can think of, from Getting started with ASNs, Apex domain enumeration via company acquisition and divestiture, Spidering, DMARC record analysis, Cloud recon, and much more. Since I am newer to the Bug Bounty scene, I had some more beginner questions like:

“When running Nuclei and testing an app, what is the best way to sort through and pick out what templates to use?”

The great thing about this class is that so many experienced people attend it that if Jason does not immediately get to your question someone in the chat will most likely answer your question very quickly.

Here is a list of topics covered on day One that I have in my notes:

  • General Knowledge: AWS API Gateway, Bug Bounty Program Tracker https://bbradar.io/
  • Templates / Reporting
  • Scope and its fine line
  • ASNs and Apex Domains
  • Port Scanning
  • Passive Enumeration: SHODAN, Karmav2, and others
  • Acquisitions
  • Cloud Recon
  • Reverse Whois
  • Reverse DNS
  • DMARC Analysis
  • Recon with AI
  • Linked Discovery (Spidering)
  • Ad Analytics
  • Subdomain Scraping: Subfinder, Amass, BBOT, and others
  • API keys
  • Paid Sources for even better Reconnaissance

Day 2 Application Analysis

The second day was just as good if not better than the first day with a deep dive into application analysis and how to approach an application. I think it is important to note that most people would probably expect a deep dive into each type of attack you can perform on an application but that is not what this course is about. Since this is an intermediate to advanced course it is expected you know the basics of IDOR, XSS, XXE, SSRF, and others. One of the main reasons I signed up for this course is to learn a better methodology on how to approach an application to find vulnerabilities. Here, Jason is teaching his unique way he approaches and looks at applications to find vulnerabilities where others have not. In my opinion, this is where the real knowledge lies in the coarse because there are plenty of courses out there that can teach you how to perform an attack or what different attacks look like but none to my knowledge that teach you how to look and identify them on real targets. This goes for the reconnaissance section as well during day 1.

Here is a list of topics covered on day Two that I have in my notes:

  • A list of Resources for Practice targets
  • Media to follow to stay up to date with the latest techniques
  • Different Hacker Wikis
  • Application Analysis Concepts: Authentication, Integration Functions, Paid Account Functions, and many others
  • Application Layer Analysis: Open ports and services, Web hosting software, Application framework, Custom code vs Commercial off the Shelf, and more.
  • Tech profiling
  • Automated Vuln Discovery
  • Successful automation strategies
  • Content discovery
  • Historical Discovery
  • Content Discovery via Mobile applications
  • General JavaScript Analysis
  • JavaScript File Discovery
  • Inline JavaScript
  • Lazy loaded JavaScript Analysis
  • Minified JavaScript Analysis
  • Big Questions to ask when testing Web Applications
  • Heat Mapping: Uploads, Content types, APIs, Accounts, Errors, Paths, Chatbots, and more
  • Web Fuzzing
  • Payload Scanning
  • Fault Injection
  • Vuln Types
  • Testing Cheat Sheets

Overview

The amount of information, tips, extra content, and continuous updates on materials in the course make the TBHM live more than worth it to attend. Since I am new to the Bug Hunting scene, I thought taking this course to get me started would instill good initial methodologies I can work off of and make my own. If you are not very advanced in any of those topics and are a beginner, I would still recommend taking the TBHM course because it will give you a very realistic outlook and foundation about Bug Bounty in general. There are many great stories Jason throws in there from his experience over the last 20 years that may prove invaluable. This course was updated in real time and if Jason gets any type of information incorrect, he fixes it on the spot, no one is perfect, no harm no foul. In my opinion this is great, I do not like having a robot that thinks they know everything and will not admit when they are wrong.

An added Benefit after taking the class the first time, you get to attend all future classes for $100 dollars. I will definitely be attending future classes because like I said this course is constantly being updated and the information shared and gained is a 10/10.