This repository attempts to centralize all of the various Potato exploits. Feel free to open a PR and update the README if you wish to add another.
The "potato" family of privilege escalation attacks on Windows was started with the introduction of Hot Potato in 2016. These attacks typically exploit authentication mechanisms, credentials, and services with impersonation privileges to elevate from a service account to system level access.
Almost every one of the potatoes target a different component of Windows to take advantage of the πππΌπππππ ππππ‘πππππ£πππππ or πππ΄π π ππππππππππ¦πππππππππ£πππππ permissions.
To increase your chances of success in using them, you'll want to start at the newest (9), and work your way back to (1).
Here are all the popular potatoes in chronological order from oldest (1) to newest (9):
- Hot Potato - NTLM relay (HTTP->SMB relay) and NBNS spoofing
- Rotten Potato - Windows Service Accounts
- Juicy Potato - Windows Service Accounts
- Lonely Potato - DCOM (Distributed Component Object Model)
- Rogue Potato - RPC over custom ports
- Sweet Potato - Print Spooler
- Generic Potato - HTTP and named pipes
- SharpEfsPotato - EfsRpc
- God Potato - DCOM (Distributed Component Object Model)
- Local Potato - NTLM authentication challenge process