Token impersonation

Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.

Enumeration

Checking if current user has the SeImpersonatePrivilege :

whoami /priv

Potato Exploits

The "Potato" tools exploit misconfigurations or vulnerabilities in how Windows handles inter-process communication, specifically with services that trust and elevate tokens such as NT AUTHORITY\SYSTEM.

Sweet Potato: The All-in-One King

Sweet Potato is a modern successor to many previous potato exploits. It's designed to work across various versions of Windows, making it versatile.

Rogue Potato (Windows >= 1809 / Server 2019)

Rogue Potato is a privilege escalation exploit designed for Windows 10 1809 and above, including Windows Server 2019.

Juicy Potato (Windows < 1809 / Server < 2019)

Juicy Potato is a privilege escalation exploit designed for Windows 10 prior to 1809 or Server prior to 2019.1809 and above, including Windows Server 2019.

Other Potato Variants

• Hot Potato

• Rotten Potato

• Lonely Potato

• Generic Potato

References

Jorge Lajara WebsiteJorge Lajara Website

Potato exploits overall blog

RoguePotato, PrintSpoofer, SharpEfsPotatoHackTricks

Potato usage cheatsheet