Professional Documents
Culture Documents
It Took Me Only 5 Minutes To Find An RCE On Bentley - by Divyansh Sharma - Medium
It Took Me Only 5 Minutes To Find An RCE On Bentley - by Divyansh Sharma - Medium
It Took Me Only 5 Minutes To Find An RCE On Bentley - by Divyansh Sharma - Medium
Save
I have been doing Bug Bounty for 8-months, I would like to share one of the interesting
bug that I had found on Bentley.
https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 1/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium
So I quickly open it saw that all the subdomains are in-scope but the infrastructure was
out of scope and the maximum bounty is $500.
Then I initiated my testing by opening censys and then I searched “bentley.com”, the
results were not interesting. Then I enabled the SSH filter.
What is censys?
Censys is a wonderful search engine used to get the latest and most accurate information
about any device connected to the internet, it can be servers or domain names. You will be
able to find full geographic and technical details about 80 and 443 ports running on any
server, as well as HTTP/S body content & GET response of the target website, Chrome TLS
Handshake, full SSL Certificate Chain information, and WHOIS information.
The next step was to have using Putty.exe to connect to that IP’s SSH protocol.
What is Putty?
PuTTY (/ˈpʌti/) is a free and open-source terminal emulator, serial console, and network
file transfer application. It supports several network protocols, including SCP, SSH, Telnet,
rlogin, and raw socket connection. It can also connect to a serial port. The name “PuTTY”
has no official meaning.
When I enter the IP that I have found through censys in the putty software, I got this
https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 2/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium
537 3
Firstly I tried admin:admin as they are using Keyboard Authentication, the server
returns as “access denied”. But when I enter admin:password, the server accepts these
credentials and took me into the server and I got this
So now I’m thinking that can I retrieve etc/passwd file from the server? and yes I’m
right I can
https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 3/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium
Then I quickly made a proper report to send it to Bentley’s Security team and after a
month I got a reply from the team.
https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 4/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium
BOUNTY
LinkedIn : https://www.linkedin.com/in/divyansh-sharma-0923861a4/
https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 5/5