# ANPTIC - Agence Nationale de Promotion des TIC
**Sector:** Government Digital Agency
**Date:** 2026-03-03
**Source:** WordPress REST API + THOT Recon

## Domains
| Domain | Status |
|--------|--------|
| `anptic.gov.bf` | UP |

## WordPress REST API User Enumeration
**Endpoint:** /wp-json/wp/v2/users?per_page=100
**Status:** OPEN — API returns full user list to unauthenticated requests

| ID | Display Name | Slug (username) | Role Indicator |
|----|-------------|-----------------|----------------|
| 1 | webmaster | webmaster | Site admin |
| 2 | Aicha Ilboudo | dcrp | DCRP = Direction de la Communication et des Relations Publiques |
| 3 | Axelle OUEDRAOGO | axelle | Content editor |

## Analysis
- **DCRP slug** on Aicha Ilboudo reveals organizational unit — Direction de la Communication et des Relations Publiques
- ANPTIC is the government digital agency — they should know better about API security
- This is the agency responsible for IT infrastructure across all government ministries
- robots.txt confirms WordPress: `/wp-admin/` disallowed, sitemap at anptic.gov.bf

## Impact
- User enumeration on the government's own IT agency
- DCRP department identified as content manager
- Named personnel: Aicha Ilboudo, Axelle Ouedraogo

## LATERAL FINDINGS (2026-03-04)

### Database Connection Error
**Status:** "Erreur lors de la connexion à la base de données"
- WordPress database is DOWN or unreachable
- iThemes Security bans endpoint returns DB error page instead of JSON
- Security plugins may not be functioning while DB is down
- Site may be in degraded state

### Server Fingerprint (from wp-admin redirect)
- **Server:** Apache/2.4.57 (Debian)
- **PHP:** 8.2.16
- **Plugins detected:** WP Download Manager (`__wpdm_client` cookie)

### WordPress API (381 routes exposed)
**Namespaces/Plugins:**
| Plugin | Namespace | Notes |
|--------|-----------|-------|
| iThemes Security | ithemes-security/v1 | Bans, modules, settings, tools, scanner, import/export |
| All in One SEO | aioseo/v1 | SEO configuration |
| Broken Link Checker | aioseoBrokenLinkChecker/v1 | Link monitoring |
| Contact Form 7 | contact-form-7/v1 | Form handler |
| WP Download Manager | wpdm | File downloads |
| MonsterInsights | monsterinsights/v1 | Google Analytics integration |
| WPForms | wpforms/v1 | Form builder |
| ElementsKit | elementskit/v1 | Widget toolkit with Mailchimp |
| MetForm | metform/v1 | Form entries (potentially readable) |
| OptinMonster | omapp/v1 | Lead generation |

### iThemes Security Endpoints:
- `/wp-json/ithemes-security/v1/bans` — **DB ERROR** (returns WordPress error page)
- `/wp-json/ithemes-security/v1/modules` — Lists security modules (needs auth)
- `/wp-json/ithemes-security/v1/settings` — 401 (locked)
- `/wp-json/ithemes-security/v1/tools` — Lists security tools (needs auth)
- `/wp-json/ithemes-security/v1/dashboard-static` — Dashboard data (needs auth)

### Data Dumped:
- `WP-API-DUMP/wp-users.json`
- `WP-API-DUMP/wp-posts.json`
- `WP-API-DUMP/wp-pages.json`
- `WP-API-DUMP/wp-categories.json`
- `WP-API-DUMP/wp-media.json`
- `WP-API-DUMP/wp-api-root.json`
- `WP-API-DUMP/ithemes-*.json`