🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Enumeration
  • Potato Exploits
  • Sweet Potato: The All-in-One King
  • Rogue Potato (Windows >= 1809 / Server 2019)
  • Juicy Potato (Windows < 1809 / Server < 2019)
  • Other Potato Variants
  • References
  1. Windows
  2. Local Privilege Escalation

Token impersonation

PreviousScheduled TasksNextBackup Operators Group

Last updated 7 months ago

Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.

Enumeration

Checking if current user has the SeImpersonatePrivilege : 

whoami /priv

Potato Exploits

The "Potato" tools exploit misconfigurations or vulnerabilities in how Windows handles inter-process communication, specifically with services that trust and elevate tokens such as NT AUTHORITY\SYSTEM.

Sweet Potato: The All-in-One King

is a modern successor to many previous potato exploits. It's designed to work across various versions of Windows, making it versatile.

Rogue Potato (Windows >= 1809 / Server 2019)

is a privilege escalation exploit designed for Windows 10 1809 and above, including Windows Server 2019.

Juicy Potato (Windows < 1809 / Server < 2019)

is a privilege escalation exploit designed for Windows 10 prior to 1809 or Server prior to 2019.1809 and above, including Windows Server 2019.

Other Potato Variants

References

Sweet Potato
Rogue Potato
Juicy Potato
Hot Potato
Rotten Potato
Lonely Potato
Generic Potato
Jorge Lajara WebsiteJorge Lajara Website
Potato exploits overall blog
RoguePotato, PrintSpoofer, SharpEfsPotatoHackTricks
Potato usage cheatsheet
Logo
Logo