Hello, I am pretty new here as well and was wondering why is the my.exe considered as a second exploit? (I’ll go through the Guided excersice one more time) - what I also did was just create a new directory with the said exe file did I eventually ‘cheat’ my way through to get the flag?
So it’s not a “new exploit” as much as it’s an alternate exploit path. Every time there is an unquoted space it creates a new possibility for exploit.
For example:
C:\some directory\another directory\yet another directory\program.exe
Would offer three alternate attack vectors for exploit:
C:\some.exe
C:\some directory\another.exe
C:\some directory\another directory\yet.exe
3 Likes
Thanks a bunch @JosephWhite, it was so helpful.
So is this basically redirecting the service .exe to the attack vector .exe by deceiving it in the directory’s before the actually service .exe?
1 Like
This comment helped me to get the flag. Thank you.
1 Like
If the service path is C:\Program Files\myservice something\WindowsService1.exe and the path is unquoted, Windows will try to run C:\Program Files\myservice.exe before entering the myservice something folder and executing the real service.
