I don't believe this is an issue with SweetPotato, I think it may be caused by the fact that I obfuscated SweetPotato to bypass Defender, or it could be something in the system's configuration. I'm trying to understand why running the SweetPotato privesc using execute-assembly with Cobalt Strike or Sliver fails, but if I run it in an interactive session it succeeds? I did obfuscate some function names and recompiled to bypass Defender but I would think that if it works in an interactive session then it would work in a C2 with execute-assembly. Is it possible that my efforts to bypass Defender changed something in the code that I need to fix before it will work using execute-assembly? Thanks in advance.

Hi there, any idea why is it throwing this error? (I am trying this with a user that has SeImpersonate privilege & the target is Windows 11)

C:\Users\lowshell\Desktop>SweetPotato.exe -e EfsRpc -p C:\Windows\System32\calc.exe
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method EfsRpc to launch C:\Windows\System32\calc.exe
Could not load file or assembly 'NtApiDotNet, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.
[!] No authenticated interception took place, exploit failed

EDIT: I've done some troubleshooting and figured that it needs NtApiDotNet.dll to be present in the same folder.
Is there a way the dll can be embedded in the tool's exe somehow?

Thanks!

While using SweetPotato with default CLSID on Windows 10.0.18362 (x64)，it failed with following output:

SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery

[=] Your version of Windows fixes DCOM interception forcing BITS to perform WinRM intercept
[+] Attempting NTLM Auth with CLID 4991D34B-80A1-4291-83B6-3328366B9097 on port 5985 using method Token to launch c:\Windows\System32\cmd.exe
[!] No authenticated interception took place, exploit failed

Hi,

Thanks for the latest update about EfsPotato. After the merge commit, I started to get following error:

Error CS2001 Source file 'C:\Users\testMachine\Desktop\SweetPotato\NtApiDotNet\Win32\Rpc\Transport\RpcNamedPipeTransport.cs' could not be found.

Why won't you merge NtApiDotNet.dll to the main executable? You can add a post-build event or use the ILmerge plugin directly.

[+] Attempting DCOM NTLM interception with CLID 4991D34B-80A1-4291-83B6-3328366B9097 on port 6666 using method Token to launch c:\Windows\System32\cmd.exe

找不到指定的物件輸出程式。 (發生例外狀況於 HRESULT: 0x80070776)
[!] No authenticated interception took place, exploit failed

@CCob Hi, I would like to ask what is the reason for this

Can't compile NtApiDotNet with VS2019. So I removed the sub project and installed NtApiDotNet from nuget, and it compiles now.

Can you update the project?

Hi,

I've tried using this and get two different errors for the same code but none seem to work. The exploit works absolutely fine with JuicyPotato.exe with the same parameters everytime but this fails.

I have also tried by uploading the executable directly to the host.

[+] Attempting DCOM NTLM interception with CLID 4991D34B-80A1-4291-83B6-3328366B9097 on port 6666 using method Token to launch c:\temp\testrun.bat
The remote procedure call failed and did not execute. (Exception from HRESULT: 0x800706BF)
[!] No authenticated interception took place, exploit failed

JuciyPotato JuicyPotato

Could not load file or assembly 'NtApiDotNet, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.

Here is a photo as a reference:

Here is the built project on fresh installed Visual Studio 2022:

Here is the same output in plaintext:

beacon> execute-assembly C:\Users\rto\Desktop\SweetPotato-master\bin\Debug\SweetPotato.exe -p C:\Users\rto\Desktop\hello.exe
[*] Tasked beacon to run .NET program: SweetPotato.exe -p C:\Users\rto\Desktop\hello.exe
[+] host called home, sent: 296557 bytes
[+] received output:
SweetPotato by @_EthicalChaos_
  Orignal RottenPotato code and exploit by @foxglovesec
  Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
  PrintSpoofer discovery and original exploit by @itm4n
  EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
[+] Attempting NP impersonation using method PrintSpoofer to launch C:\Users\rto\Desktop\hello.exe
Could not load file or assembly 'NtApiDotNet, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified.
[!] No authenticated interception took place, exploit failed

If you get this error, make sure to place both SweetPotato.exe and NtApiDotNet.dll (located in the output folder) in the same folder when executing the program on a target.