lambda.de
nmap -A -v -p- gives
```
Nmap scan report for lambda.de (218.101.64.66)
Host is up (0.00027s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.5p1 Debian 6+squeeze5 (protocol 2.0)
| ssh-hostkey:
| 1024 ea:1d:70:bd:d6:4d:81:ee:60:f4:a8:68:8f:ef:eb:b2 (DSA)
|_ 2048 8a:e6:87:ec:b2:27:b9:3d:da:d2:fc:0e:b3:78:80:87 (RSA)
25/tcp open smtp Microsoft Exchange smtpd
| smtp-commands: site-smtp.lambda.de Hello [208.200.200.10], SIZE 36700160, PIPELINING, DSN, ENHANCEDSTATUSCODES, STARTTLS, X-ANONYMOUSTLS, AUTH, X-EXPS NTLM, 8BITMIME, BINARYMIME, CHUNKING, XEXCH50, XSHADOW,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT
| ssl-cert: Subject: commonName=site-smtp
| Subject Alternative Name: DNS:site-smtp, DNS:site-smtp.lambda.de
| Issuer: commonName=site-smtp
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2022-03-08T02:11:48
| Not valid after: 2027-03-08T02:11:48
| MD5: d58c 2a41 a6c1 a77e dea8 8f6f 55fe 0cef
|_SHA-1: 2793 f4ad 81ea d961 b4d5 a4de d1fa e2dc 7f7c 2041
|_ssl-date: 2022-03-19T13:07:24+00:00; +2s from scanner time.
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.5.38)
| http-methods:
| Supported Methods: OPTIONS GET HEAD POST TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.5.38
|_http-title: Ontario Election Services » Vote Now!
8080/tcp filtered http-proxy
Service Info: Host: site-smtp.lambda.de; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
```
```
65.61.65.66 datasafe.votenow.local
```
This gives us acess to a phpmyadmin thing that we can most probably explot
https://www.exploit-db.com/exploits/50457 Most probably this according to the stream
curl http://65.61.65.66/config.php.bak
EXPLOIT PROPOSAL
CURL NEW PASSWORD -> use exploit-db.com to get acess -> change flag value to our
Sign in with Wallet
Connect another wallet