# Report 01: Git Repository & File Exposure Scan
**Date:** 2026-03-03
**Analyst:** Claude (automated OSINT)
**Classification:** Passive OSINT — No exploitation attempted
**Scan Platform:** VM106 (kali-recon-master) via Proxmox

---

## Executive Summary

A comprehensive scan of 132+ alive `.bf` domains for exposed source code repositories (`.git`), environment files (`.env`), configuration backups, and sensitive endpoints found **zero exposed git repositories** and **zero credential-bearing environment files**. However, the scan revealed **WordPress REST API user enumeration** on 3 government/institutional sites, exposing 12 user accounts including full names, usernames, and Gravatar email hashes. The telecom regulator ARCEP's `.htaccess` server configuration file was also found publicly readable.

---

## Methodology

### Scope
- All `.bf` domains discovered alive via THOT Domain ON alive checker (132+ domains)
- Additional targeted probing on 30 high-priority government and critical infrastructure domains

### Tools & Techniques
1. **THOT Domain ON** — alive checking via HTTP/HTTPS on 927 harvested `.bf` domains
2. **cURL probing** from VM106 — HTTP status code checks on sensitive paths
3. **WordPress REST API** — `/wp-json/wp/v2/users` endpoint enumeration

### Paths Checked Per Domain
| Path | Purpose |
|------|---------|
| `/.git/HEAD` | Git repository exposure (HTTPS + HTTP) |
| `/.git/config` | Git remote URL disclosure |
| `/.env` | Environment variables (DB creds, API keys) |
| `/wp-config.php.bak` | WordPress database credentials backup |
| `/wp-config.php~` | Editor swap file |
| `/.wp-config.php.swp` | Vim swap file |
| `/wp-config.php.old` | Renamed backup |
| `/.htaccess` | Apache server configuration |
| `/.svn/entries` | SVN repository exposure |
| `/phpinfo.php` | PHP configuration disclosure |
| `/info.php` | PHP info alternate |
| `/server-status` | Apache server status |
| `/debug.log` | Application debug logs |
| `/wp-content/debug.log` | WordPress debug logs |
| `/web.config` | IIS/ASP.NET configuration |
| `/.DS_Store` | macOS directory listing |
| `/robots.txt` | Crawler directives (for intel) |

### False Positive Handling
- `.git/HEAD` responses validated with strict regex `^ref: refs/` (not just `ref:`)
- `.env` responses validated for credential markers (`APP_KEY`, `DB_PASSWORD`, `SECRET`, `API_KEY`, `DATABASE_URL`)
- HTML error pages filtered out by checking for `<!doctype` and `<html` strings

---

## Findings

### Finding 1: ZERO Exposed Git Repositories

**Severity:** N/A (negative finding)
**Domains Scanned:** 132+
**Protocol:** Both HTTPS and HTTP checked

No `.bf` domain returned a valid git HEAD reference. One false positive was identified (legrandfrere.bf returned an HTML 404 page containing "ref:" in markup).

**Notable:** ARCEP (arcep.bf) has **explicit git protection** in their `.htaccess`:
```
# SECTION BEGIN GIT PROTECTION
RedirectMatch 404 /\.git
# SECTION END GIT PROTECTION
```
This indicates awareness of the git exposure attack vector.

### Finding 2: ZERO Exposed Environment Files

**Severity:** N/A (negative finding)
**Domains Scanned:** 132+

No `.env` file with credential markers was found on any scanned domain.

### Finding 3: ARCEP .htaccess Publicly Readable

**Severity:** LOW-MEDIUM
**Domain:** www.arcep.bf
**Status Code:** 200 OK
**File Size:** 1,674 bytes

The Apache `.htaccess` file is readable by unauthenticated users, revealing:
- **DEFLATE compression** configuration for all MIME types
- **Git protection rule:** `RedirectMatch 404 /\.git`
- **WPSuperCache** plugin directives
- **WordPress mod_rewrite** rules with `RewriteBase /`
- **HTTP Authorization** passthrough: `RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]`

**Impact:** Reveals server configuration, installed plugins (WPSuperCache), and security measures. The HTTP_AUTHORIZATION passthrough indicates API authentication is in use.

### Finding 4: WordPress REST API User Enumeration — ARCEP

**Severity:** MEDIUM
**Domain:** www.arcep.bf
**Endpoint:** `/wp-json/wp/v2/users?per_page=100`
**Authentication Required:** NO

| ID | Display Name | Username (slug) | Gravatar Hash |
|----|-------------|-----------------|---------------|
| 4 | webmanager | webmaster | — |
| 7 | atraore | atraore | `fafee8299b6f09f5db44ffda68c55ceb` |
| 8 | Stella Ouedraogo | stella-ouedraogoarcep-bf | — |
| 9 | Yacouba KOUSSOUBE | y-koussoube | — |
| 10 | Lucien Manzaba | lucien-manzabaarcep-bf | `81f2a93a084a6c9bea12edaa03597a3d` |

**Analysis:**
- Slug naming convention `firstname-lastnamearcep-bf` reveals internal email format: `firstname.lastname@arcep.bf`
- Inferred emails: lucien.manzaba@arcep.bf, stella.ouedraogo@arcep.bf
- Combined with known `secretariat@arcep.bf` (from web scraping) and `e.guigma@onatel.bf` (from DMARC)
- Gravatar hashes can be reversed via rainbow tables or MD5 lookup to confirm email addresses
- `webmaster` account (ID 4) is likely the site administrator

**Context:** ARCEP is the telecommunications regulator AND the `.bf` domain authority. User accounts on their WordPress installation could be leveraged for phishing or brute-force attacks against the organization that controls Burkina Faso's entire domain infrastructure.

### Finding 5: WordPress REST API User Enumeration — ANPTIC

**Severity:** MEDIUM
**Domain:** anptic.gov.bf
**Endpoint:** `/wp-json/wp/v2/users?per_page=100`
**Authentication Required:** NO

| ID | Display Name | Username (slug) | Notes |
|----|-------------|-----------------|-------|
| 1 | webmaster | webmaster | Site administrator |
| 2 | Aicha Ilboudo | dcrp | DCRP = Direction de la Communication et des Relations Publiques |
| 3 | Axelle OUEDRAOGO | axelle | Content editor |

**Analysis:**
- ANPTIC is the **Agence Nationale de Promotion des TIC** — the government's own IT/digital agency
- The fact that the government IT agency's WordPress leaks user data is particularly ironic
- `dcrp` slug reveals organizational structure: the Communications & Public Relations department manages the site
- Named personnel: Aicha Ilboudo (DCRP), Axelle Ouedraogo

### Finding 6: WordPress REST API User Enumeration — Diaspora Burkina

**Severity:** LOW
**Domain:** diasporaburkina.bf
**Endpoint:** `/wp-json/wp/v2/users?per_page=100`
**Authentication Required:** NO

| ID | Display Name | Username (slug) | Notes |
|----|-------------|-----------------|-------|
| 1 | diasp_ad | diasp_ad | Site admin |
| 2 | ad_zep | ad_zep | Admin/editor |
| 3 | studyuser_2343246756 | studyuser_2343246756 | Test account |
| 4 | studyuser_4260180281 | studyuser_4260180281 | Test account |

**Analysis:**
- `studyuser_` prefixed accounts suggest a learning management or educational platform
- Less sensitive than gov sites but still reveals admin usernames

### Finding 7: Sites With Properly Secured REST API

**Severity:** N/A (positive finding)
**These sites correctly restrict the users endpoint:**

| Domain | Response |
|--------|----------|
| www.presidencedufaso.bf | 401 — "Uniquement les utilisateurs authentifiés peuvent accéder à l'API REST" |
| igf.bf | 401 — "Sorry, you are not allowed to list users" |

The Presidency uses the **Really Simple Security** plugin which locks down the REST API. This is best practice.

### Finding 8: robots.txt Intelligence

| Domain | Notable Disallow/Sitemap |
|--------|------------------------|
| anptic.gov.bf | WordPress `/wp-admin/`, sitemap at anptic.gov.bf |
| police.gov.bf | Full Joomla robots.txt (836 bytes) |
| lonab.bf | Drupal-style comprehensive robots.txt (1,706 bytes) |
| enam.bf | Aggressive bot blocking (6,427 bytes) |
| lepays.bf | WooCommerce transaction logs: `/wp-content/uploads/wc-logs/`, `/wp-content/uploads/woocommerce_trans` |
| igf.bf | Sitemap → `groupefadoul.co` (private web management company) |
| canal3.bf | Sitemap → `groupefadoul.co` (same company) |
| diasporaburkina.bf | WordPress standard |
| fespaco.bf | Crawl-delay: 10 |
| presidencedufaso.bf | Crawl-delay: 10 |
| cisandco.bf | Crawl-delay: 10 |

**Notable:** igf.bf (Inspection Generale des Finances — national audit office) and canal3.bf both have sitemaps pointing to `groupefadoul.co`, revealing that **Groupe Fadoul** is a shared web management contractor for multiple BF institutions.

---

## Negative Findings (What Was NOT Found)

| Check | Result |
|-------|--------|
| Exposed `.git` repositories | None across 132+ domains |
| Exposed `.env` files | None |
| WordPress config backups | None |
| SVN repositories | None |
| phpinfo.php | None |
| Apache server-status | None |
| Debug logs | None |
| .DS_Store files | None |

---

## Recommendations (For Report Writing)

1. **ARCEP REST API user enumeration** should be highlighted as the most significant finding — the domain authority leaking personnel data
2. **ANPTIC leaking users** is particularly notable given they are the government IT agency
3. **ARCEP .htaccess exposure** reveals security-conscious configuration (git protection) but ironically the config itself is readable
4. **Groupe Fadoul** as shared contractor for government sites is worth investigating further
5. **Presidency's REST API lockdown** can be cited as a positive example of security practice
6. The **absence of exposed git repos** across all BF domains is itself a finding — suggests either:
   - Git is not widely used in BF web development (many sites use CMS)
   - Or basic security hygiene is in place for version control

---

## Appendix: Scan Statistics

| Metric | Value |
|--------|-------|
| Total domains harvested (THOT) | 927 |
| Domains confirmed alive | 132+ |
| Web domains probed (excl. mail/cpanel/autodiscover) | 92 |
| High-priority targets deep-probed | 30 |
| WordPress sites tested for user enum | 5 |
| Total exposure paths checked per domain | 17 |
| Total individual HTTP requests | ~3,000+ |
| Scan duration | ~15 minutes |
| Platform | VM106 via qm guest exec |