For those of you unfamiliar with the course, you can find it at https://academy.hackthebox.com along with their Bug Bounty track and more great resources. I will talk more in depth in a moment, but the course goes through the pentesting process and common tools and services. Overall, I would recommend this course to those looking to get into penetration testing or to those looking to hone their skills from novice to intermediate.
The path is comprised of 28 moduels, each module with 10 to 36 sections, averaging about 20 sections. I recommend going in the order they suggest, bust skipping around is possible too. Just note that some skills that you learn early in the track will be required later on. Starting with the "Penetration Testing Process" module, the track takes you through network enumeration, footprinting, and information gathering. It then goes through some processes like file transfers, how to create payloads, and how to crack passwords. The course then goes through some common environments and services you may find like FTP, SMTP, Active Directory, SQL servers, and how to exploit them through various injections and common vulnerabilities. Lastly it teaches privilege escalation in Linux and Windows. The final 2 modules are in learning Documentation, and finally, "Attacking Enterprise Networks".
There was quite a lot I learned from this course, especially since my prior experience was limited to shadowing pen tests and assisting only in small background operations. The first, is that I DEFINITELY need to document my work more. That's part of the reason I made this website. But more seriously, every section gave me massive insight into both the mindset and methods of penetration testers. Each section taught me a new skill, such as how to make sense of enumeration readings, how to establish persistent connections where applicable, and how to make sense of the architecture behind a full system, in both enterprise of SOHO. I found tremendous value in the course, but there were a couple of downsides.
First of all, the backend of their system is not flawless. Many times I had to either put everything on hold, or even completely reset my virtual machine (provided by them either through a web interface or an iso file which I recommend). Granted, they are running very complex architecture with many users all accessing at once, so I do not hold it against them by any means, but at times it could be frustrating. Secondly, some of the modules failed to hit the sweet spot between not too easy but not way above my level. Some modules just gave you step by step directions, and you had to take the extra step to play around and learn. Some modules seemed to be missing information that googling could not solve. For those, I turned to the discord or reddit communities which were super helpful. Regardless of if it is too easy or too hard, there are certainly opportunities to learn beyond what the module teaches.
My Advice: DOCUMENT EVERYTHING. I'll list 3 reasons why you want to document it all, even when it may seem unecessary. 1) It allows you to track progress over time, both short and long term. In many instances I had to reset the machine, and may have lost some progress. I would have to start over because I could not remember the previous steps I took. In the long term, you can see how far you advanced. I look back at some of the notes I took early on in the module, and I can see some questions I had which I can now answer. It is motivating to see progress like that. 2) When going through the boxes, writing everything down will help organize your thoughts, and will help you remember what you have already tried and what else you can do. 3) To give back to the community. I got so much help from others who completed the track and took notes well enough that they could go back and help. Now after having completed it myself, I try to help others, but usually can't remember the process I went through.
Is this course right for you? Well I'll put it this way. It took me a LONG time to complete. I want to say about a year, but I was not really serious about it until later, so I'll average it to about 5 months of tons of work. I wanted to complete it so that I could get the CPTS certification, which I still plan on doing. If you want to learn skills, I would go through their individual modules, picking out the specific skills you want to learn. But if you specifically want to learn skills for penetration testing, I would advise this track as it can help guide you in the right direction. I came in with some programming and IT knowledge, but minimal cybersecurity ability. It was hard but doable. If you already have some cyber background, this course would be significantly easier, but there is still a lot more that it can help you learn or formalize. And if you also want the CPTS certification, this course is a prerequisite.
Overall, it was a tremendous learning experience, and I am happy with their service and would return to try some of their other modules and paths.