A list of windows potatoes!
| Potato Name | Description | Read More |
|---|---|---|
| MultiPotato | Another Potato to get SYSTEM via SeImpersonate privileges but it doesn't contain any SYSTEM auth triggers, allowing the user to integrate one themselves; it also allows the user to use CreateProcessWithTokenW, CreateProcessWithTokenW, CreateProcessAsUserW, CreateUser and BindShell whereas normally only CreateProcessWithTokenW is available in public exploits. |
https://github.com/S3cur3Th1sSh1t/MultiPotato |
| Hot Potato | Hot potato is the code name of a Windows privilege escalation technique that was discovered by Stephen Breen. This technique is actually a combination of two known windows issues like NBNS spoofing and NTLM relay with the implementation of a fake WPAD proxy server which is running locally on the target host. | https://pentestlab.blog/2017/04/13/hot-potato/ |
| Rotten Potato | - | https://github.com/breenmachine/RottenPotatoNG |
| Lonely Potato | Rotten Potato but without meterpreter and the incognito module | https://decoder.cloud/2017/12/23/the-lonely-potato/ |
| Juicy Potato | Rotten Potato but more flexible | https://github.com/ohpe/juicy-potato |
| Rogue Potato | - | https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/ |
| Ghost Potato | Halloween has come and gone; and yet NTLM reflection is back from the dead to haunt MSRC once again. This post describes a deceptively simple bug that has existed in Windows for 15 years. | https://shenaniganslabs.io/2019/11/12/Ghost-Potato.html |
| Remote Potato | The remote potato is a technique which was discovered by Antonio Cocomazzi and Andrea Pierini which could allow threat actors to elevate their privileges from Domain user to Enterprise Administrator. This technique is performing a cross-protocol relay to implement the NTLM reflection attack and relays the elevated NTLM authentication to the domain controller to achieve privilege escalation. According to the article which describes the technical details this attack is feasible when various conditions are in place: | https://pentestlab.blog/2021/05/04/remote-potato-from-domain-user-to-enterprise-admin/ |
| Candy Potato | Pure C++; weaponized; fully automated implementation of RottenPotatoNG | https://github.com/klezVirus/CandyPotato |