SeImpersonatePrivilege
This method takes advantage of SeImpersonatorPrivilege or SeAssignPrimaryTokenPrivelge privelges to elevate the privilege from local to system. This is usually enabled by default when IIS or SQL services are installed.
The status can be checked using the following command,
HotPotato
It was the first potato and was discovered by Stephen Breen. It can be downloaded from here. DCOM has to be enabled for this attack to work.
JuicyPotato
Juicypotato is a privilege escalation tool created by Andrea Pierini and Giuseppe Trotta.
A COM server with unique CLSID is required for exploiting this vulnerability. You can get the CLSID from the predefined list put together by the author here.
Alternatively, you can also find the CLSID that will work on the target system by using the following series of scripts,
Load the following PS script,
Then use the following script to generate the list of possible CLSID,
The following script will then try all the CLSID that you generated to find a vulnerable one,
Once we have everything we need we can use the Juicypotato to elevate the privilege by executing Netcat and have it do a reverse shell back to your machine,
You can also craft a common executable with the malicious payload using tools like "shellter" and have it executed from the target system through Juicypotato.
JuicyPotato doesn't work on Windows Server 2019 and Windows 10 build 1809 onwards.
JuicyPotatoNG
This is the next iteration of the JuicyPotato and it can be downloaded from here.
PrintSpoofer64
The executable can be downloaded from here.
RoguePotato
The executable can be downloaded from here.
GodPotato
The executable can be downloaded from here.
SharpEfsPotato
The executable can be downloaded from here.
Last updated