It took me only 5 minutes to find an RCE on Bentley

3 min readJun 21, 2020

Hi Guys,

I have been doing Bug Bounty for 8-months, I would like to share one of the interesting bug that I had found on Bentley.

Here’s the story starts:-

While searching the external bug bounty programs on google via some dorks, Bentley’s responsible disclosure caught my attention.

So I quickly open it saw that all the subdomains are in-scope but the infrastructure was out of scope and the maximum bounty is $500.

Then I initiated my testing by opening censys and then I searched “bentley.com”, the results were not interesting. Then I enabled the SSH filter.

What is censys?

Censys is a wonderful search engine used to get the latest and most accurate information about any device connected to the internet, it can be servers or domain names. You will be able to find full geographic and technical details about 80 and 443 ports running on any server, as well as HTTP/S body content & GET response of the target website, Chrome TLS Handshake, full SSL Certificate Chain information, and WHOIS information.

And there was an IP address that belongs to Bentley as “CN=*bentley.com” was written in their certificates, now I’s certain that IP belongs to Bentley.

The next step was to have using Putty.exe to connect to that IP’s SSH protocol.

What is Putty?

PuTTY (/ˈpʌti/) is a free and open-source terminal emulator, serial console, and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. It can also connect to a serial port. The name “PuTTY” has no official meaning.

When I enter the IP that I have found through censys in the putty software, I got this

Firstly I tried admin:admin as they are using Keyboard Authentication, the server returns as “access denied”. But when I enter admin:password, the server accepts these credentials and took me into the server and I got this