# SONABHY - Societe Nationale Burkinabe d'Hydrocarbures **Sector:** Hydrocarbons / Fuel Distribution **Date:** 2026-03-03 **Source:** THOT Domain Intel + Manual Recon ## Domains | Domain | Status | |--------|--------| | `sonabhy.bf` | UP | | `www.sonabhy.bf` | UP (canonical) | ## Hosting & Infrastructure - **IP:** 75.2.60.5 - **Country:** UNITED STATES (AWS Global Accelerator → Netlify) - **Server:** Netlify (static site hosting) - **HSTS:** max-age=31536000 (1 year) ## Tech Stack - **Netlify** — static site platform (Jamstack) - HTML5, no CMS fingerprint detected - Custom email on page: `sonabhy@sonabhy.bf` - No server-side language detected (static site) ## DNS Records (9 found) - MX records indicate Microsoft 365 email - SPF, DMARC configured ## Subdomains (11 found via brute-force) - `www.sonabhy.bf` — main site - `mail.sonabhy.bf` — mail server - `mail1.sonabhy.bf` — secondary mail - `mail2.sonabhy.bf` — tertiary mail - `autodiscover.sonabhy.bf` — Exchange/M365 autodiscover - `elearning.sonabhy.bf` — **e-learning platform** - `cms.sonabhy.bf` — **content management system** - `media.sonabhy.bf` — media/file server - Additional subdomains from crt.sh harvest ## Interesting Findings - **Netlify hosted** — national fuel company website on a US static hosting platform - **E-learning subdomain** — internal training platform for fuel company employees - **CMS subdomain** — separate content management system (likely headless CMS feeding Netlify frontend) - **3 mail servers** (mail, mail1, mail2) — indicates mail infrastructure redundancy - **Autodiscover** confirms Microsoft 365 email infrastructure - **Static site on Netlify** — interesting choice for a state-owned enterprise; suggests modern web development practices or external contractor - **75.2.60.5** — AWS Global Accelerator IP (Netlify uses AWS backend) ## Emails Discovered - `sonabhy@sonabhy.bf` (from website content) ## Security Notes - Netlify provides built-in CDN and DDoS protection - Static site = minimal server-side attack surface on main domain - elearning, cms, and media subdomains are the more interesting targets - M365 email = cloud-hosted, harder to compromise than self-hosted ## LATERAL FINDINGS (2026-03-04) ### cms.sonabhy.bf — Strapi CMS FULLY EXPOSED - **CNAME:** king-prawn-app-6bsvl.ondigitalocean.app - **Hosting:** DigitalOcean App Platform behind Cloudflare - **CMS:** Strapi (Node.js headless CMS) - **Admin Panel:** `cms.sonabhy.bf/admin` — 200 OK (login page accessible) - **Admin Init:** UUID `a5ca9d48-8f90-4ff2-ac19-4b50b6cad297`, hasAdmin: true - **DigitalOcean App ID:** `29a0ca2c-c79c-4070-9970-bd7e16f51a32` #### OPEN API Endpoints: | Endpoint | Status | Data | |----------|--------|------| | `/api/content-type-builder/content-types` | **200 OPEN** | Full database schema (42KB) | | `/api/actualites?populate=*` | **200 OPEN** | News content with images (201KB) | | `/admin/init` | **200 OPEN** | UUID + hasAdmin flag | | `/api/users` | 403 | Blocked | | `/admin/information` | 401 | Blocked | | `/api/users-permissions/roles` | 403 | Blocked | #### Schema Models Exposed: - `admin::user` — firstname, lastname, username, email, password, roles, isActive, blocked - `admin::api-token` — name, description, type, accessKey, lastUsedAt, permissions, expiresAt - `admin::transfer-token` — transfer token schema - `plugin::users-permissions.user` — username, email, password, resetPasswordToken, confirmationToken - `plugin::upload.file` — file upload model #### Cloudinary CDN Exposed: - **Account ID:** `dmk8wryvz` - **Folder:** `sonabhy/` - **URL Pattern:** `https://res.cloudinary.com/dmk8wryvz/image/upload/v.../sonabhy/...` #### Content Dumped: - Full news articles from 2022-2024 (actualites) - All stored in `STRAPI-DUMP/` subfolder ### elearning.sonabhy.bf — Unreachable - **IP:** 196.28.244.11 (Burkina Faso) - **Status:** Connection timeout on both HTTP and HTTPS - Possibly firewalled or internal-only ### media.sonabhy.bf — Unreachable - **IP:** 196.28.244.10 (Burkina Faso) - **Status:** Connection timeout - Possibly firewalled or internal-only ## TODO - [ ] Enumerate all Strapi content types from schema dump - [ ] Check Cloudinary for public file listing - [ ] Try additional Strapi API endpoints based on schema - [ ] Shodan/Censys on mail server IPs