killchain-compendium/Exploits/Windows/Potatoes.md

# Potatoes

* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/)
* [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)
* [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)
* [Juicy Potato](https://ohpe.it/juicy-potato/)
* [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)
* [LocalPotato (CVE-2023-21746)](https://github.com/decoder-it/LocalPotato.git) works via NTLM local authentication Security Context IDs using a local SMB and start connecting a privileged and an unprivileged process at the same time. Both get a security context IDs which then will be swapped between the processes. Additionally DLL hijacking is needed to get a higher priv shell. [This is done via `SvcRebootToFlashingMode` of StorSvc and interpositioning of `SprintCSP.dll`](https://github.com/blackarrowsec/redteam-research/tree/master/LPE via StorSvc) in PATH
    * [Original Post from James Forshaw and Elad Shamir](https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/)
    * [Security Online](https://securityonline.info/poc-exploit-for-windows-ntlm-privilege-escalation-flaw-cve-2023-21746-published/)
restructured Exploits 2022-11-13 22:38:01 +01:00			`# Potatoes`

			`* [Hot Potato](https://foxglovesecurity.com/2016/01/16/hot-potato/)`
			`* [Rotten Potato](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/)`
			`* [Lonely Potato](https://decoder.cloud/2017/12/23/the-lonely-potato/)`
			`* [Juicy Potato](https://ohpe.it/juicy-potato/)`
			`* [Rogue Potato](https://decoder.cloud/2020/05/11/no-more-juicypotato-old-story-welcome-roguepotato/)`
potatoes 2023-02-25 20:40:13 +01:00			* [LocalPotato (CVE-2023-21746)](https://github.com/decoder-it/LocalPotato.git) works via NTLM local authentication Security Context IDs using a local SMB and start connecting a privileged and an unprivileged process at the same time. Both get a security context IDs which then will be swapped between the processes. Additionally DLL hijacking is needed to get a higher priv shell. [This is done via `SvcRebootToFlashingMode` of StorSvc and interpositioning of `SprintCSP.dll`](https://github.com/blackarrowsec/redteam-research/tree/master/LPE via StorSvc) in PATH
			`* [Original Post from James Forshaw and Elad Shamir](https://decoder.cloud/2023/02/13/localpotato-when-swapping-the-context-leads-you-to-system/)`
			`* [Security Online](https://securityonline.info/poc-exploit-for-windows-ntlm-privilege-escalation-flaw-cve-2023-21746-published/)`