{
	"id": "45862c8f-ec18-45e5-8d6a-22e91d589e2e",
	"created_at": "2026-04-06T00:17:24.139041Z",
	"updated_at": "2026-04-10T13:11:48.301994Z",
	"deleted_at": null,
	"sha1_hash": "d249aa13843a582c5787b4885db759486d5996e8",
	"title": "GitHub - Kevin-Robertson/Tater: Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit from @breenmachine and @foxglovesec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 200085,
	"plain_text": "GitHub - Kevin-Robertson/Tater: Tater is a PowerShell\r\nimplementation of the Hot Potato Windows Privilege Escalation\r\nexploit from @breenmachine and @foxglovesec\r\nBy Kevin-Robertson\r\nArchived: 2026-04-05 14:19:20 UTC\r\nTater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.\r\nCredit\r\nAll credit goes to @breenmachine, @foxglovesec, Google Project Zero, and anyone else that helped work out the\r\ndetails for this exploit.\r\nPotato - https://github.com/foxglovesec/Potato\r\nIncluded In\r\np0wnedShell - https://github.com/Cn33liz/p0wnedShell\r\nPowerShell Empire - https://github.com/PowerShellEmpire/Empire\r\nPS\u003eAttack - https://github.com/jaredhaight/psattack\r\nFunctions\r\nInvoke-Tater\r\nThe main Tater function.\r\nParameters\r\nIP - Specify a specific local IP address. An IP address will be selected automatically if this parameter is not\r\nused.\r\nSpooferIP - Specify an IP address for NBNS spoofing. This is needed when using two hosts to get around\r\nan in-use port 80 on the privesc target.\r\nCommand - Command to execute as SYSTEM on the localhost. Use PowerShell character escapes where\r\nnecessary.\r\nNBNS - Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofing.\r\nNBNSLimit - Default = Enabled: (Y/N) Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS\r\nspoofing while hostname is resolving correctly.\r\nExhaustUDP - Default = Disabled: (Y/N) Enable/Disable UDP port exhaustion to force all DNS lookups\r\nto fail in order to fallback to NBNS resolution.\r\nhttps://github.com/Kevin-Robertson/Tater\r\nPage 1 of 5\n\nHTTPPort - Default = 80: Specify a TCP port for the HTTP listener and redirect response.\r\nHostname - Default = WPAD: Hostname to spoof. WPAD.DOMAIN.TLD may be required by Windows\r\nServer 2008.\r\nWPADDirectHosts - Comma separated list of hosts to list as direct in the wpad.dat file. Note that localhost\r\nis always listed as direct.\r\nWPADPort - Default = 80: Specify a proxy server port to be included in the wpad.dat file.\r\nTrigger - Default = 1: Trigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows\r\nDefender Signature Update, 2 = Windows 10 Webclient/Scheduled Task\r\nTaskDelete - Default = Enabled: (Y/N) Enable/Disable scheduled task deletion for trigger 2. If enabled, a\r\nrandom string will be added to the taskname to avoid failures after multiple trigger 2 runs.\r\nTaskname - Default = Tater: Scheduled task name to use with trigger 2. If you observe that Tater does not\r\nwork after multiple trigger 2 runs, try changing the taskname.\r\nRunTime - Default = Unlimited: (Integer) Set the run time duration in minutes.\r\nConsoleOutput - Default = Disabled: (Y/N) Enable/Disable real time console output. If using this option\r\nthrough a shell, test to ensure that it doesn't hang the shell.\r\nStatusOutput - Default = Enabled: (Y/N) Enable/Disable startup messages.\r\nShowHelp - Default = Enabled: (Y/N) Enable/Disable the help messages at startup.\r\nTool - Default = 0: (0,1,2) Enable/Disable features for better operation through external tools such as\r\nMetasploit's Interactive Powershell Sessions and Empire. 0 = None, 1 = Metasploit, 2 = Empire\r\nStop-Tater\r\nFunction to manually stop Invoke-Tater.\r\nUsage\r\nTo import with Import-Module:\r\nImport-Module ./Tater.ps1\r\nTo import using dot source method:\r\n. ./Tater.ps1\r\nExamples\r\nBasic trigger 1 example\r\nInvoke-Tater -Trigger 1 -Command \"net user tater Winter2016 /add \u0026\u0026 net localgroup administrators tater\r\n/add\"\r\nBasic trigger 2 example\r\nInvoke-Tater -Trigger 2 -Command \"net user tater Winter2016 /add \u0026\u0026 net localgroup administrators tater\r\n/add\"\r\nTwo system setup to get around port 80 being in-use on the privesc target\r\nWPAD System - 192.168.10.100 - this system will just serve up a wpad.dat file that will direct HTTP\r\nhttps://github.com/Kevin-Robertson/Tater\r\nPage 2 of 5\n\ntraffic on the privesc target to the non-80 HTTP port\r\nInvoke-Tater -Trigger 0 -NBNS N -WPADPort 8080 -Command \"null\"\r\nPrivesc Target - 192.168.10.101\r\nInvoke-Tater -Command \"net user Tater Winter2016 /add \u0026\u0026 net localgroup administrators Tater /add\" -\r\nHTTPPort 8080 -SpooferIP 192.168.10.100\r\nScreenshots\r\nWindows 7 using trigger 1 (NBNS WPAD Bruteforce + Windows Defender Signature Updates)\r\nhttps://github.com/Kevin-Robertson/Tater\r\nPage 3 of 5\n\nWindows 10 using trigger 2 (WebClient Service + Scheduled Task)\r\nhttps://github.com/Kevin-Robertson/Tater\r\nPage 4 of 5\n\nWindows 7 using trigger 1 and UDP port exhaustion\r\nSource: https://github.com/Kevin-Robertson/Tater\r\nhttps://github.com/Kevin-Robertson/Tater\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/Kevin-Robertson/Tater"
	],
	"report_names": [
		"Tater"
	],
	"threat_actors": [],
	"ts_created_at": 1775434644,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d249aa13843a582c5787b4885db759486d5996e8.pdf",
		"text": "https://archive.orkl.eu/d249aa13843a582c5787b4885db759486d5996e8.txt",
		"img": "https://archive.orkl.eu/d249aa13843a582c5787b4885db759486d5996e8.jpg"
	}
}