4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium

Open in app Get started

Divyansh Sharma Follow

Jun 21, 2020 · 3 min read · Listen

Save

It took me only 5 minutes to find an RCE on

Bentley
Hi Guys,

I have been doing Bug Bounty for 8-months, I would like to share one of the interesting
bug that I had found on Bentley.

Here’s the story starts:-

While searching the external bug bounty programs on google via some dorks, Bentley’s
responsible disclosure caught my attention.

https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 1/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium

Open in app Get started

So I quickly open it saw that all the subdomains are in-scope but the infrastructure was
out of scope and the maximum bounty is $500.

Then I initiated my testing by opening censys and then I searched “bentley.com”, the
results were not interesting. Then I enabled the SSH filter.

What is censys?

Censys is a wonderful search engine used to get the latest and most accurate information
about any device connected to the internet, it can be servers or domain names. You will be
able to find full geographic and technical details about 80 and 443 ports running on any
server, as well as HTTP/S body content & GET response of the target website, Chrome TLS
Handshake, full SSL Certificate Chain information, and WHOIS information.

And there was an IP address that belongs to Bentley as “CN=*bentley.com” was

written in their certificates, now I’s certain that IP belongs to Bentley.

The next step was to have using Putty.exe to connect to that IP’s SSH protocol.

What is Putty?

PuTTY (/ˈpʌti/) is a free and open-source terminal emulator, serial console, and network
file transfer application. It supports several network protocols, including SCP, SSH, Telnet,
rlogin, and raw socket connection. It can also connect to a serial port. The name “PuTTY”
has no official meaning.

When I enter the IP that I have found through censys in the putty software, I got this

https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 2/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium

Open in app Get started

537 3

Firstly I tried admin:admin as they are using Keyboard Authentication, the server
returns as “access denied”. But when I enter admin:password, the server accepts these
credentials and took me into the server and I got this

So now I’m thinking that can I retrieve etc/passwd file from the server? and yes I’m
right I can

https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 3/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium

etc/passwd File Open in app Get started

Then I quickly made a proper report to send it to Bentley’s Security team and after a
month I got a reply from the team.

https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 4/5
4/30/22, 4:44 AM It took me only 5 minutes to find an RCE on Bentley | by Divyansh Sharma | Medium

Open in app Get started

BOUNTY

Thanks for reading my write-up.

Let’s connect with me

LinkedIn : https://www.linkedin.com/in/divyansh-sharma-0923861a4/

https://divyanshsharma2401.medium.com/it-took-me-only-5-minutes-to-find-an-rce-on-bentley-38265da15788 5/5