Potatoes - Windows Privilege Escalation

https://github.com/S3cur3Th1sSh1t/MultiPotato

SensePost | Certpotato - using adcs to privesc from virtual and network service accounts to local system

https://github.com/zcgonvh/DCOMPotato

More privesc w/ SeImpersonatePrivilege

We thought they were potatoes but they were beans (from Service Account to SYSTEM again)

• This EoP works only if WinRM is disabled. This is the default on Windows 10 but NOT on Windows Servers.
• Impersonation privilege is needed (typically service users hold it)
• BITS must not be already running. If a background transfer job is in progress, this could take a long time for waiting it to finish (imagine a Windows Update…)