Token impersonation

Windows identifies users by generating an access token assigned to each user. This token contains information about the user's privileges. When a user runs a process or thread, the primary token is assigned, specifying the permissions for that process. A thread can also have an impersonation token assigned, which provides a different security context; in this case, the process will run based on the impersonation token instead of the primary token.

Enumeration

Checking if current user has the SeImpersonatePrivilege :

whoami /priv

Potato Exploits

The "Potato" tools exploit misconfigurations or vulnerabilities in how Windows handles inter-process communication, specifically with services that trust and elevate tokens such as NT AUTHORITY\SYSTEM.

Sweet Potato: The All-in-One King

Sweet Potato is a modern successor to many previous potato exploits. It's designed to work across various versions of Windows, making it versatile.

Rogue Potato (Windows >= 1809 / Server 2019)

Rogue Potato is a privilege escalation exploit designed for Windows 10 1809 and above, including Windows Server 2019.

Juicy Potato (Windows < 1809 / Server < 2019)

Juicy Potato is a privilege escalation exploit designed for Windows 10 prior to 1809 or Server prior to 2019.1809 and above, including Windows Server 2019.

Other Potato Variants

References

PreviousScheduled Tasks NextBackup Operators Group

Last updated 1 year ago

hashtagEnumeration

hashtagPotato Exploits

hashtagSweet Potato: The All-in-One King

hashtagRogue Potato (Windows >= 1809 / Server 2019)

hashtagJuicy Potato (Windows < 1809 / Server < 2019)

hashtagOther Potato Variants

hashtagReferences