# COLOMBIA OSINT CAMPAIGN — MASTER REPORT
## Date: 2026-02-25
## Classification: SENSITIVE — Contains credentials, PII references, and infrastructure details

---

# TABLE OF CONTENTS

1. [Executive Summary](#1-executive-summary)
2. [Critical Findings by Severity](#2-critical-findings-by-severity)
3. [Credentials & Exposures](#3-credentials--exposures)
4. [Target: ArcGIS Government Servers](#4-arcgis-government-servers)
5. [Target: Colombia Humana Political Party](#5-colombia-humana-political-party)
6. [Target: Police AI Platform](#6-police-ai-platform)
7. [PII Exposure Detail](#7-pii-exposure-detail)
8. [Reconnaissance & Subdomain Enumeration](#8-reconnaissance--subdomain-enumeration)
9. [Data Inventory & File Index](#9-data-inventory--file-index)
10. [Methodology & Tools](#10-methodology--tools)

---

# 1. EXECUTIVE SUMMARY

Conducted comprehensive open-source intelligence collection against Colombian government infrastructure and the Colombia Humana political party. Campaign identified and extracted data from **9 Colombian government ArcGIS servers** (no authentication), **4 Colombia Humana party platforms**, and the **Colombian National Police AI platform** (5 subdomains).

### Key Metrics

| Metric | Value |
|--------|-------|
| **Total data extracted** | ~26GB |
| **Total files** | 1,096 |
| **ArcGIS servers compromised** | 9 (no auth) |
| **Credentials exposed** | 5 (GCP key, AWS STS, Cognito, CSRF, session) |
| **PII records** | 1,870 delegates (names + national ID) |
| **API routes mapped** | 1,050+ (869 Agora + 181 CRM) |
| **Government project records** | 26,089 |
| **Oil/gas wells mapped** | 27,274 with GPS |
| **Subdomains probed** | 60 across 16 agencies |
| **Colombia Humana subdomains** | 57 enumerated |
| **AI models identified** | 10 (Amazon Bedrock) |

### Targets Covered

| Target | Category | Severity |
|--------|----------|----------|
| ergit.presidencia.gov.co | ArcGIS — Presidency (military/DDHH) | CRITICAL |
| gis.dnp.gov.co | ArcGIS — National Planning (military) | CRITICAL |
| sig.upra.gov.co | ArcGIS — Agricultural Planning | HIGH |
| sig.car.gov.co | ArcGIS — Environmental Authority | HIGH |
| sig.catastrobogota.gov.co | ArcGIS — Bogota Cadastre | CRITICAL |
| geovisor.anh.gov.co | ArcGIS — Hydrocarbons Agency | CRITICAL |
| gis.contraloria.gov.co | ArcGIS — Comptroller General | HIGH |
| mapas.parquesnacionales.gov.co | ArcGIS — National Parks | HIGH |
| sig.minambiente.gov.co | ArcGIS — Environment Ministry | MEDIUM |
| *.colombiahumana.co | Political Party (7 live subdomains) | CRITICAL |
| *.ia.policia.gov.co | Police AI Platform (5 subdomains) | CRITICAL |

---

# 2. CRITICAL FINDINGS BY SEVERITY

## SEVERITY: CRITICAL

### Finding 1 — GCP Service Account Private Key Publicly Exposed
- **URL**: `https://www.colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json`
- **Project**: colombia-humana-2024
- **Service Account Email**: `google-analytics-asamblea-2024@colombia-humana-2024.iam.gserviceaccount.com`
- **Client ID**: 106731429309082488283
- **Private Key ID**: ea35973a5d652bc0c138e22d6f9b0983b696a36f
- **Full RSA private key downloaded** — can authenticate as this service account
- **Impact**: Access to Google Analytics data, potentially Cloud Storage, BigQuery, or any other GCP service this account has IAM permissions for
- **Local file**: `colombia-humana/gcp-service-account-key.json`

### Finding 2 — AWS STS Credentials Leaked on Every Page Load
- **URL**: `https://app.ia.policia.gov.co`
- **AWS Account**: 926162397524
- **S3 Bucket**: `pon-prod-ai-platform-926162397524`
- **Region**: us-east-1
- **Access Key**: ASIA5PI4UVFKL3IFXKMF (rotates per page load, 15-min expiry)
- **Impact**: Temporary S3 access to police AI platform bucket on every page load. Automated harvesting of fresh tokens is trivial.
- **Local file**: `police-ai/aws-credentials-extracted.json`

### Finding 3 — AWS Cognito User Pool Exposed
- **User Pool ID**: us-east-1_s8S1IYnxv
- **API Gateway**: `https://qb4jva2046.execute-api.us-east-1.amazonaws.com`
- **Source**: nadia.ia.policia.gov.co JS bundle (2.4MB)
- **Impact**: User enumeration, potential brute force against Cognito auth. API Gateway is the backend for the police AI system running 10 AI models via Amazon Bedrock.
- **Local file**: `police-ai/nadia-infrastructure.json`

### Finding 4 — 1,870 Delegate PII Records with No Authentication
- **URL**: `https://decidim.colombiahumana.co/index.php?action=get_confirmados`
- **Data**: Full names (nombres + apellidos) + national ID (cedula) numbers for 1,870 political delegates
- **Cedula lookup**: POST /index.php with `action=confirmar_datos&cedula=[number]` returns masked email
- **Impact**: Mass identity theft, targeted political harassment, social engineering
- **Local file**: `colombia-humana/decidim-confirmados.json` (267KB)

### Finding 5 — 9 ArcGIS Servers with No Authentication (~26GB)
Nine Colombian government ArcGIS servers serving geospatial data with zero authentication:

| Server | Data | Size |
|--------|------|------|
| ergit.presidencia.gov.co | Military conflict maps, armed groups, FARC GPS, victim data | 2.0GB |
| gis.dnp.gov.co | 7 IHEH military services, 3 CTT geovisors, national security plan | 841MB |
| sig.upra.gov.co | Agricultural zoning (30+ crops), 2026 boundaries | 12GB |
| sig.car.gov.co | Environmental cartography, mining titles, watershed data | 5.8GB |
| sig.catastrobogota.gov.co | Full Bogota property database, valuations, census | 2.4GB |
| geovisor.anh.gov.co | 27,274 oil/gas wells, seismic data, sedimentary basins | 614MB |
| gis.contraloria.gov.co | 26,089 government project records | 95MB |
| mapas.parquesnacionales.gov.co | Park boundaries, conservation priorities, land cover | 2.5GB |
| sig.minambiente.gov.co | Hydrographic zones/sub-zones | 330MB |

**Impact**: Military operational data, intelligence on armed groups, critical infrastructure locations, property/land valuations for entire cities, hydrocarbon exploration data

---

## SEVERITY: HIGH

### Finding 6 — Police AI Platform Full Architecture Exposed
- **5 subdomains**: app.ia, nadia.ia, maps.analytics.ia, catalog.ia, iam.ia (policia.gov.co)
- **10 AI models** via Amazon Bedrock (Claude 4 Opus/Sonnet, Claude 3.x family, Titan, Cohere)
- **Vendor**: Houndoc.ai — Colombian AI startup
- **Session cookies**: secret=ogPXHONRigakoecq, ds cookie expires **2035** (9-year lifetime)
- **Impact**: Complete understanding of police AI capabilities and attack surface

### Finding 7 — Agora Party Management: 869 Admin Routes Exposed
- **URL**: `https://agora.colombiahumana.co`
- **Framework**: Laravel + Inertia.js + Vue (Sanctum auth)
- **CSRF Token**: A19TNRvHnFhVqYv8tVp0e9CghWMSJ89MyeZyVN6F
- **Routes cover**: Assemblies, candidacies, campaigns (email/WhatsApp/SMS), contracts, electoral processes, voters, witnesses, OTP dashboard, file management, system config
- **Impact**: Complete route map enables targeted exploitation if any auth bypass is found

### Finding 8 — WordPress XMLRPC Enabled on 2 Instances
- **Portal**: `https://www.colombiahumana.co/portal/xmlrpc.php`
- **CRM**: `https://crm.colombiahumana.co/xmlrpc.php`
- **Methods**: system.multicall, wp.getUsersBlogs, wp.getComments, metaWeblog.*, blogger.*
- **Impact**: Brute force authentication, pingback DDoS amplification, credential stuffing

### Finding 9 — Nextcloud with Impersonation App
- **URL**: `https://nube.colombiahumana.co`
- **Version**: 30.0.6.2
- **Critical app**: **impersonate** — admin can act as any user
- **Other apps**: snappymail, libresign, forms, groupfolders
- **Federated sharing**: ENABLED
- **Impact**: If admin credentials compromised, impersonate app allows access to ALL user accounts

### Finding 10 — Cedula PDFs in WordPress Media
- **URL**: `https://www.colombiahumana.co/portal/wp-json/wp/v2/media`
- **Files**: cedula-76.pdf (national ID document), affiliation/disaffiliation letters
- **Path**: `wp-content/uploads/formidable/10/cedula-76.pdf`
- **Impact**: Physical identity document publicly downloadable

---

## SEVERITY: MEDIUM

### Finding 11 — WordPress Admin Users Enumerated
- **danielb** (ID: 1) — Original admin, Gravatar hash: `ce83a5795ede85204e18dbbe51df96737a0f91b6b6ef0808afb9a8a49664cd30`
- **luischavarria** (ID: 3) — Admin, Gravatar hash: `d8177c2a6a66c5fbb6d2f2c4c8d86d313f01246a29887474873a08030906f5c4`
- **nuevo2024luischavarria** (ID: 139585) — New account (likely password reset), Gravatar hash: `058acf5609214ff3c5b209a51411b48eed9ae0fb7b21fa1bfa392538e6cfa9ff`

### Finding 12 — Google Analytics Debug Info Leaked
- **GA Property ID**: 469597137
- **Server path**: `/www/wwwroot/colombiahumana.co/portal/`
- **Credentials path**: `/www/wwwroot/colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json`
- **Impact**: Server filesystem structure revealed, credential file path confirmed

### Finding 13 — 20 Form Structures Exposed (Formidable Forms)
- PII collection forms: affiliate registration (name, DOB, cedula, email, phone, address, ethnicity, disability, LGBTQ+, displacement status, ID photo)
- Jury nomination forms, assembly confirmation, disaffiliation records
- Entry data (submissions) returns 403 — structure only

### Finding 14 — CRM API Schema (181 Groundhogg Routes)
- Contacts, companies, emails, broadcasts, funnels, campaigns, tags, searches, reports
- All return 401 (auth required) but full API surface is mapped

### Finding 15 — DNS Verification Tokens
- Google: `ZbFu0BAhJKxdmmP1uDBmrB3APD7G290CWV3l8ieJ_Lw`
- Microsoft 365: ms11844033, ms33132372, ms37011212
- GlobalSign: `ynqUB_TdDIexM50K56_qt2QTD06Rk96h9QVlmsE_CG`
- Cisco CI: `50f370706a12aaca6d1d02152128404936a7b128da5b6237a2b36ef5f5a37094`

---

# 3. CREDENTIALS & EXPOSURES

## 3.1 Google Cloud Platform — Service Account Private Key

| Field | Value |
|-------|-------|
| **Source URL** | `https://www.colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json` |
| **Status** | PUBLICLY ACCESSIBLE — FULL PRIVATE KEY EXPOSED |
| **Type** | service_account |
| **Project ID** | colombia-humana-2024 |
| **Private Key ID** | ea35973a5d652bc0c138e22d6f9b0983b696a36f |
| **Client Email** | google-analytics-asamblea-2024@colombia-humana-2024.iam.gserviceaccount.com |
| **Client ID** | 106731429309082488283 |
| **Auth URI** | https://accounts.google.com/o/oauth2/auth |
| **Token URI** | https://oauth2.googleapis.com/token |
| **Full RSA Key** | DOWNLOADED — saved locally |
| **Local file** | `colombia-humana/gcp-service-account-key.json` |

**Risk**: Full GCP service account authentication. Can access any resources this account has IAM permissions for (Analytics, potentially Storage, BigQuery, Compute).

---

## 3.2 AWS Infrastructure — Police AI Platform

### STS Temporary Credentials
| Field | Value |
|-------|-------|
| **Source** | `https://app.ia.policia.gov.co` (page load) |
| **AWS Account ID** | 926162397524 |
| **S3 Bucket** | pon-prod-ai-platform-926162397524 |
| **Region** | us-east-1 |
| **Access Key** | ASIA5PI4UVFKL3IFXKMF (rotates per page load) |
| **Expiry** | 15 minutes |
| **Security Token** | IQoJb3JpZ2luX2VjED4aCXVzLWVhc3QtMSJGMEQCIEhIrd8oEa... (truncated) |
| **Behavior** | Fresh credentials generated on EVERY page load |
| **Local file** | `police-ai/aws-credentials-extracted.json` |

### Cognito User Pool
| Field | Value |
|-------|-------|
| **User Pool ID** | us-east-1_s8S1IYnxv |
| **Source** | nadia.ia.policia.gov.co JS bundle (2.4MB) |
| **Local file** | `police-ai/nadia-infrastructure.json` |

### API Gateway
| Field | Value |
|-------|-------|
| **Endpoint** | `https://qb4jva2046.execute-api.us-east-1.amazonaws.com` |
| **Status** | Returns 401 (Cognito auth required) |
| **Backend** | 10 AI models via Amazon Bedrock |

### AI Models Available (Bedrock)
| Model | Type |
|-------|------|
| Claude 4 Opus | LLM |
| Claude 4 Sonnet | LLM |
| Claude 3.7 Sonnet | LLM |
| Claude 3.5 Sonnet v1 | LLM |
| Claude 3.5 Sonnet v2 | LLM |
| Claude 3.5 Haiku v1 | LLM |
| Claude 3 Opus | LLM |
| Claude 3 Haiku | LLM |
| Amazon Titan Embedding Text v2 | Embedding |
| Cohere Embed Multilingual v3 | Embedding |

---

## 3.3 Google Analytics — Debug Info Leak

| Field | Value |
|-------|-------|
| **Source** | `https://www.colombiahumana.co/portal/wp-json/ch/v1/active-users` |
| **GA Property ID** | 469597137 |
| **Server Root** | /www/wwwroot/colombiahumana.co/portal/ |
| **GCP Creds Path** | /www/wwwroot/colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json |

---

## 3.4 Session Cookies — Police AI Platform

| Cookie | Value | Notes |
|--------|-------|-------|
| secret | ogPXHONRigakoecq | Session secret |
| ds | bxZlKImIvSKbaxwW | **Expires 2035** (9-year lifetime!) |
| session | f9447787b0f7718f_695c0481.Top27tmOWfgqPlLdK9viW2FbncA | Session token |

---

## 3.5 CSRF Token — Agora Platform

| Field | Value |
|-------|-------|
| **Source** | `https://agora.colombiahumana.co` |
| **Token** | A19TNRvHnFhVqYv8tVp0e9CghWMSJ89MyeZyVN6F |
| **Framework** | Laravel Sanctum |

---

## 3.6 WordPress Users

### Main Portal (www.colombiahumana.co/portal)
| Username | ID | Role | Gravatar Hash |
|----------|----|------|---------------|
| danielb | 1 | Admin | ce83a5795ede85204e18dbbe51df96737a0f91b6b6ef0808afb9a8a49664cd30 |
| luischavarria | 3 | Admin | d8177c2a6a66c5fbb6d2f2c4c8d86d313f01246a29887474873a08030906f5c4 |
| nuevo2024luischavarria | 139585 | Admin (new) | 058acf5609214ff3c5b209a51411b48eed9ae0fb7b21fa1bfa392538e6cfa9ff |

---

## 3.7 Nextcloud Instance

| Field | Value |
|-------|-------|
| **URL** | `https://nube.colombiahumana.co` |
| **Version** | 30.0.6.2 |
| **Product Name** | Nube Colombia Humana |
| **Slogan** | "un hogar seguro para todos tus datos" |
| **Session Lifetime** | 1440 seconds |
| **Federated Sharing** | ENABLED |
| **Remote Sharing** | ALLOWED |
| **Key Apps** | impersonate, snappymail, libresign, forms, groupfolders, logreader, app_api |

---

## 3.8 DNS Verification Tokens

| Provider | Token |
|----------|-------|
| Google Site Verification | ZbFu0BAhJKxdmmP1uDBmrB3APD7G290CWV3l8ieJ_Lw |
| Microsoft 365 | ms11844033, ms33132372, ms37011212 |
| GlobalSign | ynqUB_TdDIexM50K56_qt2QTD06Rk96h9QVlmsE_CG |
| Cisco CI | 50f370706a12aaca6d1d02152128404936a7b128da5b6237a2b36ef5f5a37094 |

---

## 3.9 Server Paths Leaked

| Path | Source |
|------|--------|
| /www/wwwroot/colombiahumana.co/portal/ | GA debug API response |
| /www/wwwroot/colombiahumana.co/portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json | GA debug API — GCP credential path |

---

## 3.10 XMLRPC Endpoints

| Instance | URL | Methods |
|----------|-----|---------|
| Portal | https://www.colombiahumana.co/portal/xmlrpc.php | system.multicall, mt.*, metaWeblog.*, wp.*, blogger.* |
| CRM | https://crm.colombiahumana.co/xmlrpc.php | system.multicall, mt.*, metaWeblog.*, wp.*, blogger.* |

---

# 4. ARCGIS GOVERNMENT SERVERS

All 9 servers serve ArcGIS REST API endpoints with no authentication required (except Contraloria which has partial auth). Data extracted via paginated feature queries (5,000 records per batch).

---

## 4.1 Presidential ArcGIS — ergit.presidencia.gov.co

| Field | Value |
|-------|-------|
| **Endpoint** | https://ergit.presidencia.gov.co/arcgis/rest/services |
| **Version** | ArcGIS Enterprise 11.3.0 (Build 51575) |
| **Auth** | NONE |
| **Dump Size** | 2.0GB |
| **Files** | 241 |
| **Folders** | 29 |
| **Root Services** | 31 |
| **Local** | `arcgis/` |

### Military & Armed Conflict Data
- **CNR_SEP_2025_MIL1** — September 2025 military conflict map
- **CNR_julio_2025_MIL1** — July 2025 military conflict map
- Armed group territory mapping:
  - **ELN** — 17MB of territory data
  - **Clan del Golfo / AGC** — 35MB of territory data
  - **Disidencias EMC** — territorial presence
  - **EMBF** — territorial presence
  - **Segunda Marquetalia** — territorial presence
- **AETCR camps** — FARC reintegration GPS coordinates
- **Afectaciones Firmantes H1 2025** — Peace signatory attacks (92MB)
- **Presencia de Firmantes** — Municipal-level signatory presence (51MB)

### Human Rights (22 Services)
- Fiscalia GIS, FECOLPER, FLIP, Medicina Legal (34MB forensic data)
- Protection routes, risk dynamics
- UNESCO data
- Capacitaciones (training sessions)

### Victim & Ethnic Impact
- **Municipio_Victimas** — Municipality victim data (320MB)
- **Resguardos_Afectacion** — Indigenous reserve ethnic impact (184MB)
- **Consejos_Afectacion** — Community council ethnic impact (85MB)
- **MujeresLibresViolencia** — Women Free from Violence matrix (77MB)

### Government Operations
- Consejo Superior de la Judicatura (2.4MB)
- AgenciaTierras, CEDISCO, CENAM, CISCO, FondoPaz
- UIAFP, SISEP, TRANSPARENCIA, Talento

### Folders
```
AgenciaTierras/  CEDISCO/  CENAM/  CISCO/  DDHH/
Datos_Finales/  Directorio/  FondoPaz/  Formularios_Survey123/
Hosted/  JPP/  MapaParlante/  Priorizacion/  Prueba/
Reporte/  ReporteProgreso/  Resguardos/  SISEP/  SISTEMAS/
TRANSPARENCIA/  Talento/  UIAFP/  UnidadAcuerdoFinal/
UnidadCumplimiento/  VisorOACP/  Zonas/  aicma/  victim_nb/
```

### Largest Files
| File | Size | Content |
|------|------|---------|
| Municipio_Victimas_data.json | 320MB | Municipality-level victim data |
| Resguardos_Afectacion_Sc_etnicos | 184MB | Indigenous reserve ethnic impact |
| Afectaciones Firmantes H1 2025 | 92MB | Peace signatory attacks |
| Consejos_Afectacion_Sc_etnicos | 85MB | Community council ethnic impact |
| MatrizDepartamental | 77MB | DDHH departmental matrix |
| MujeresLibresViolencia | 77MB | Women free from violence |
| Departamentos_data | 77MB | DDHH quarterly departments |
| IGAC_Departamento | 77MB | UIAFP project departments |
| Presencia de Firmantes | 51MB | Signatory presence municipal |
| Municipios_data | 51MB | Case 003 municipalities |
| Municipios_PEP | 44MB | PEP municipalities |
| Clan del Golfo - AGC | 35MB | Armed group territory |
| DDHH_MEDICINA_LEGAL | 34MB | Forensic medicine data |
| ELN | 17MB | ELN territory data |
| Municipios_AT_2025 | 11MB | 2025 municipality land data |

---

## 4.2 DNP ArcGIS — gis.dnp.gov.co (National Planning Department)

| Field | Value |
|-------|-------|
| **Endpoint** | https://gis.dnp.gov.co/arcgis/rest/services |
| **Auth** | NONE |
| **Dump Size** | 841MB |
| **Files** | 199 |
| **Folders** | 6 |
| **Root Services** | 15 |
| **Local** | `arcgis-dnp/` |

### Military Services
- **IHEH_MIL1 through MIL7** — 7 military intelligence/planning services
- **Geovisor_CTT_B_MIL1/2/3** — 3 military geovisors
- **Proyectos_RUAPP_2022_MIL1** — Rural military projects

### National Security
- **PISCC** — Plan Integral de Seguridad y Convivencia Ciudadana (9.7MB prioritized municipalities)
- **CATASTROMULTIPROPOSITO** — Multi-purpose land registry
- **CATASTROMULTIPROPOSITO_CONFLICTO_uSO_SUELO** — Land use conflict mapping

### Demographics & Social
- **JOVENES_DANE** — Youth demographics
- **POMCA** — Watershed management plans (73MB)
- **Convergencia_WTL1** — Convergence data

### Administrative Boundaries
- Colombia_geo, departamentos_data, municipios_data
- PDET regions, San Andres islands, Nuevo Belen de Bajira

### Folders
```
CATASTROMULTIPROPOSITO/  Hosted/  JOVENES_DANE/
Ruapp/  Utilities/  osc/
```

---

## 4.3 UPRA ArcGIS — sig.upra.gov.co (Rural Agricultural Planning)

| Field | Value |
|-------|-------|
| **Endpoints** | https://sig.upra.gov.co/arcgis/rest/services + /server/rest/services |
| **Version** | ArcGIS Enterprise 11.3 |
| **Auth** | NONE |
| **Dump Size** | 12GB (LARGEST) |
| **Files** | 118 |
| **Arcgis Folders** | 17 |
| **Server Folders** | 17 |
| **Local** | `arcgis-upra/` |

### Land Use Aptitude (aptitud_uso_suelo) — 30+ Products
**Forestry**: Cypress (3.9GB), Acacia mangium (520MB), Ceiba tolua (446MB), Eucalyptus (4 species), native species
**Aquaculture**: Shrimp/camaron (858MB), Cachama (450MB), Bocachico, Tilapia
**Livestock**: Cattle, Buffalo, Goats, Poultry, Beekeeping (610MB)
**Crops**: Coffee, Cacao, Cotton, Rice, Coconut (108MB), Sugarcane, Banana, Avocado Hass, Aji tabasco, Onion
**Other**: Rubber (caucho)

### Land Administration & Property
- **Adecuacion_Tierras_Rurales** — Irrigation districts, aquifers, ADT projects
- **Formalizacion_Propiedad** — Property formalization
- **Mercado_Tierras_Rurales** — Rural land market
- **Ordenamiento_Social_Propiedad** — Social property planning
- **ladmcol** — LADM-COL land administration model
- **predios** — Property/parcel data

### Agricultural Intelligence
- **Monitoreo_Cultivos** — Crop monitoring
- **Ordenamiento_Productivo** — Productive zoning
- **costos_prod_agro** — Agricultural production costs
- **Prospectiva** — Forecasting/prospective

### 2026 Administrative Boundaries
- **MGN_DEPARTAMENTOS_2026** — Department boundaries (43MB)
- **MGN_MUNICIPIOS_2026** — Municipality boundaries (246MB)

### Largest Files
| File | Size | Content |
|------|------|---------|
| Cypress zoning | 3.9GB | Cupressus lusitanica aptitude |
| Shrimp zoning | 858MB | Camaron blanco aptitude |
| Beekeeping zoning | 610MB | Apiculture aptitude |
| Acacia zoning | 520MB | Acacia mangium aptitude |
| Cachama zoning | 450MB | Cachama aquaculture |
| Ceiba zoning | 446MB | Bombacopsis quinata |
| Municipality boundaries | 246MB | MGN 2026 |
| Coconut cultivation | 108MB | Pacific coast aptitude |
| Department boundaries | 43MB | MGN 2026 |

---

## 4.4 CAR ArcGIS — sig.car.gov.co (Environmental Authority of Cundinamarca)

| Field | Value |
|-------|-------|
| **Endpoint** | https://sig.car.gov.co/arcgis/rest/services |
| **Version** | ArcGIS Enterprise 11.1 |
| **Auth** | NONE |
| **Dump Size** | 5.8GB |
| **Files** | 54 |
| **Folders** | 7 |
| **Local** | `arcgis-car/` |

### Key Data
- **Land use/soil coverage** — 2.7GB single file (comprehensive classification)
- **Contour lines / elevation** — 506MB
- **POMCA Watershed Zoning**:
  - Rio Medio/Bajo Suarez (212MB)
  - Rio Alto Suarez (55MB)
- **Geology** at 1:100K scale (31MB)
- **Third-order watershed boundaries** (29MB)
- **Drainage networks** — single (27MB) and double (2.7MB)
- **Road networks** (22MB)
- **Soil aptitude mapping** (17MB)
- **Declared protected areas** (17MB)
- **Mining titles** (1.1MB)
- **Reserva Thomas van der Hammen** data
- **Risk/hazard mapping**

### Folders
```
CARTOGRAFIA_EN_LINEA/  CuencaAlta/  Donde_esta_mi_predio/
Mineria/  RESERVA_TVDH/  RIESGOS/  VISOR/
```

### Related Subdomains
- **datosgeograficos.car.gov.co** — ArcGIS Hub open data portal (browsable, not WFS-dumpable)
- **geourbana.car.gov.co** — WAF blocked
- **sigriobogota.car.gov.co** — 403 Forbidden

---

## 4.5 Bogota Cadastre — sig.catastrobogota.gov.co

| Field | Value |
|-------|-------|
| **Endpoint** | https://sig.catastrobogota.gov.co/arcgis/rest/services |
| **Version** | ArcGIS Enterprise 11.3 |
| **Auth** | NONE |
| **Dump Size** | 2.4GB |
| **Files** | 175 |
| **Folders** | 20 |
| **Local** | `arcgis-catastro-bogota/` |

### FULL BOGOTA PROPERTY DATABASE

**Property & Valuation (catastro/)**:
- Average building heights per city block — 1.1GB (largest layer)
- Residential constructed area per block — 194MB + 97MB (multi-year)
- Commercial constructed area per block — 138MB
- Census 2020 block-level data — 120MB x2
- Property counts per block — 110MB
- Commercial property valuations per m2 — 105MB
- Cadastral valuations per m2 — 105MB
- New properties 2023

**Environment (ambiente/)**: Carbon estimation, tree density, drainage flow, animal protection
**Urban Services**: Mobility, emergencies, public utilities, health, education, public space, recreation
**Social**: Social services, women's programs, tourism
**Planning**: Territorial planning, public management, economic development, topography

### All 20 Folders
```
ambiente/  aplicaciones/  catastro/  desarrolloeconomico/
educacion/  emergencias/  espaciopublico/  gestionpublica/
imagenes/  Mapa_Referencia/  movilidad/  mujeres/
ordenamientoterritorial/  recreaciondeporte/  salud/
serviciospublicos/  sitiosinteres/  social/  topografia/  turismo/
```

### Mirror
**serviciosgis.catastrobogota.gov.co** — Same 21 folders (mirror of primary endpoint, same data)

---

## 4.6 ANH ArcGIS — geovisor.anh.gov.co (National Hydrocarbons Agency)

| Field | Value |
|-------|-------|
| **Endpoint** | https://geovisor.anh.gov.co/server/rest/services |
| **Version** | ArcGIS Enterprise 11.1 |
| **Auth** | NONE |
| **Dump Size** | 614MB |
| **Files** | 124 |
| **Folders** | 7 + 5 root services |
| **Local** | `arcgis-anh/` |

### Oil & Gas Wells
- **27,274 wells** with GPS coordinates (16MB)
- Includes well type, status, operator, depth, production data

### Seismic Surveys
- **Sismica 2D**: 19,409 line features (survey tracks)
- **Sismica 3D**: 450 polygon features (survey areas)

### Geological
- **24 sedimentary basins** — Complete basin boundaries (11MB)
- **VEstudios ANH**: 11,042 exploration study features (292MB)
- **Yacimientos (deposits)**: 833 features (14MB)
- **Rezumaderos (oil seeps)**: 1,194 natural surface manifestations
- **Coal mines**: 27 active mines

### Hydrocarbon Land Parcels (Tierras) — Historical Timeline
Current + 28 historical snapshots spanning 2004-2025:
- 2025-12-29: 486 parcels (latest)
- 2004-12-31: 221 parcels (earliest)
- Shows full evolution of hydrocarbon land allocation over 21 years

### Administrative
- Department boundaries: 33 (34MB)
- Municipality boundaries: 1,123
- Raster footprints: 243 features

### Folders
```
Cruces_Socioambientales/  Estudios_VT/  GEOVISOR_v32/
Hosted/  Pozos3D/  pruebaimagen/  test/  Yacimientos/
```

---

## 4.7 Contraloria ArcGIS — gis.contraloria.gov.co (Comptroller General)

| Field | Value |
|-------|-------|
| **Endpoint** | https://gis.contraloria.gov.co/arcgis/rest/services |
| **Version** | ArcGIS Enterprise 11.3 |
| **Auth** | PARTIAL (most folders token-protected) |
| **Dump Size** | 95MB |
| **Files** | 40 |
| **Folders** | 24 |
| **Portal** | https://gis.contraloria.gov.co/portal |
| **Local** | `arcgis-contraloria/` |

### Public Data Extracted — 26,089 Records
| Dataset | Records | Size |
|---------|---------|------|
| APPUI government infrastructure projects | 21,791 | 27MB |
| Contracting/procurement records | 4,165 | 4.2MB |
| Major infrastructure mega-works | 100 | 112KB |
| Department polygons | 33 | 33MB |
| Municipality polygons | — | 940KB |

### Auth-Protected Folders (NOT extracted — require token)
| Folder | Description |
|--------|-------------|
| COCA | Coca cultivation mapping |
| TITULOS_MINEROS | Mining titles |
| 003_PROYECTOS_FFIE_2024 | Education infrastructure |
| 004_PROYECTOS_POSCONFLICTO_2024 | Post-conflict projects |
| ALCALDES_GOBERNADORES_2024 | Mayors/governors data |
| MOE_2023 | Electoral observation mission |
| SEGUIMIENTO_HOSPITALES_2025 | Hospital monitoring |
| SEGUIMIENTO_101_MEGAOBRAS | Mega-works tracking |
| NBI | Basic needs index |
| MODELO_MINERIA | Mining model |
| MODELO_MEDIO_AMBIENTE | Environmental model |
| PARAMOS_CARACTERIZACION | Paramo characterization |
| INVERSION_MUNICIPIOS | Municipal investment |
| ANLA | Environmental licensing |

---

## 4.8 Parques Nacionales — mapas.parquesnacionales.gov.co (National Parks)

| Field | Value |
|-------|-------|
| **Endpoint** | https://mapas.parquesnacionales.gov.co/arcgis/rest/services |
| **Version** | ArcGIS 10.51 |
| **Auth** | NONE |
| **Dump Size** | 2.5GB |
| **Files** | 29 |
| **Folders** | 7 |
| **Local** | `arcgis-parques/` |

### Features Extracted — 23,000+
- **RUNAP** (National Protected Areas Registry): 1,837 areas
- **Park boundaries (polygon)**: 65 national parks
- **Park boundary points**: 2,264 reference points
- **Zoning (management plans)**: 5,204 features (2,361 + 2,843)
- **Conservation priorities**: 16,437 features
- **New areas**: 5 newly designated

### Land Cover Data
**High Resolution 25K (2019-2024)**: 6 annual layers
**Historical (2002-2022)**: 8 temporal layers showing deforestation/reforestation trends

### Largest Files
| File | Size | Content |
|------|------|---------|
| Coberturas_2019 | 518MB | 2019 land cover (25K) |
| Coberturas_2021 | 189MB | 2021 land cover |
| Zonificacion_PNN | 146MB | Official park zoning |
| Coberturas_2002 | 143MB | 2002 historical land cover |
| Conservation priorities | 106MB | 16,437 priority areas |
| Zonificacion_PNNC | 99MB | Park zoning update |
| Official limits (line) | 65MB | Park boundary lines |

### Folders
```
pnn/  runap/  IGAC_nuevas_areas/  deprecated/
pruebas/  Plantilla_Impresion/  Utilities/
```

---

## 4.9 MinAmbiente ArcGIS — sig.minambiente.gov.co (Ministry of Environment)

| Field | Value |
|-------|-------|
| **Endpoint** | https://sig.minambiente.gov.co/arcgis/rest/services |
| **Version** | ArcGIS 10.81 |
| **Auth** | NONE |
| **Dump Size** | 330MB |
| **Files** | 10 |
| **Local** | `arcgis-minambiente/` |

### HAC/HAC_UER (MapServer) — 8 Layers
| Layer | Name | Features |
|-------|------|----------|
| 0 | SZH — Subzonas Hidrograficas | 316 |
| 1 | ZH — Zonas Hidrograficas | 40 |
| 2 | AH — Areas Hidrograficas | ~50 |
| 3 | AA — Areas Hidrograficas (alt) | ~50 |
| 4 | MPIO — Municipios | 1,121 |
| 5 | DPTO — Departamentos | 33 |
| 6 | Nodos | Various |
| 7 | Plan de Accion | Various |

**Total features**: 1,569 records

---

# 5. COLOMBIA HUMANA POLITICAL PARTY

57 subdomains enumerated via crt.sh. 7 live, 3 catch-all, rest dead.

---

## 5.1 Portal de Delegados — decidim.colombiahumana.co

| Field | Value |
|-------|-------|
| **Platform** | Custom PHP (Apache) |
| **Also accessible at** | asamblea.colombiahumana.co |
| **Auth** | NONE REQUIRED |
| **Records exposed** | 1,870 delegates |

**Endpoint**: `GET /index.php?action=get_confirmados`
**PII Fields**: confirmacion, departamento, municipio, nombres, apellidos, cedula
**Cedula Lookup**: `POST /index.php` with `action=confirmar_datos&cedula=[number]` returns masked email
**Local file**: `colombia-humana/decidim-confirmados.json` (267KB)

### Delegate Breakdown by Department
| Department | Count | Department | Count |
|-----------|-------|-----------|-------|
| Valle | 217 | Bogota DC | 159 |
| Santander | 135 | Antioquia | 133 |
| Cauca | 118 | Cundinamarca | 106 |
| Atlantico | 85 | Boyaca | 69 |
| Internacional | 66 | LGTBIQA+ | 58 |
| Norte de Santander | 58 | Magdalena | 55 |
| Sucre | 54 | Huila | 53 |
| Bolivar | 52 | Cordoba | 52 |
| Afro | 51 | Casanare | 51 |
| Cesar | 42 | La Guajira | 34 |
| Narino | 30 | Risaralda | 29 |
| Meta | 24 | Tolima | 24 |
| Putumayo | 23 | Choco | 21 |
| Caqueta | 15 | Indigenas | 12 |
| Quindio | 10 | Caldas | 9 |
| Arauca | 8 | Guaviare | 5 |
| Vichada | 5 | JNC | 4 |
| Amazonas | 2 | Vaupes | 1 |

---

## 5.2 Main Portal — www.colombiahumana.co/portal

| Field | Value |
|-------|-------|
| **Platform** | WordPress |
| **Server Path** | /www/wwwroot/colombiahumana.co/portal/ |

### Exposures
- **GCP Service Account Key** (CRITICAL) — Full RSA private key at public URL (see Section 3.1)
- **WordPress Users**: danielb (ID:1), luischavarria (ID:3), nuevo2024luischavarria (ID:139585)
- **20 Form Structures** (Formidable Forms) — PII collection structures
- **Media Uploads**: Cedula PDFs, affiliation/disaffiliation letters publicly downloadable
- **XMLRPC Enabled**: system.multicall, mt.*, metaWeblog.*, wp.*, blogger.*
- **GA Measurement ID**: 469597137
- **Custom API**: ch/v1 namespace leaking debug info and server paths

### PII Collection Forms (20 total)
| Form | Description |
|------|-------------|
| Registro Afiliados (Form 10) | Name, DOB, cedula, email, phone, address, gender, LGBTQ+, disability, ethnicity, displacement, ID photo |
| Asamblea Confirmacion (Form 3) | Delegate confirmation data |
| Postulacion Jurados 2025 (Form 14) | Jury nominations |
| Registro Desafiliaciones (Form 12) | Disaffiliation records |
| Crear Nodos (Form 11) | Node/chapter creation |
| Asamblea Departamentales (Form 6) | Departmental assembly data |
| + 14 more forms | Various party operations |

*Note: Form submissions (entries) return 403 — structure only accessible*

### Media Uploads Exposed
- `wp-content/uploads/formidable/10/cedula-76.pdf` — National ID document
- `wp-content/uploads/2024/10/CARTA-DE-SOLICITUD-DE-AFILIACION-CH.pdf`
- `wp-content/uploads/2024/11/CARTA-DE-SOLICITUD-DE-DESAFILIACION.pdf`
- Branding assets (logos, wallpapers, screenshots)

---

## 5.3 CRM — crm.colombiahumana.co

| Field | Value |
|-------|-------|
| **Platform** | WordPress + Groundhogg CRM |
| **WAF** | Wordfence |
| **API Routes** | 181 Groundhogg endpoints |
| **Auth** | All data endpoints return 401 |
| **XMLRPC** | Enabled |

API covers: contacts, companies, emails, broadcasts, funnels, campaigns, tags, searches, reports

---

## 5.4 Agora Platform — agora.colombiahumana.co

| Field | Value |
|-------|-------|
| **Platform** | Laravel + Inertia.js + Vue |
| **Auth** | Laravel Sanctum |
| **CSRF Token** | A19TNRvHnFhVqYv8tVp0e9CghWMSJ89MyeZyVN6F |
| **Routes Exposed** | 869 via Ziggy JS config |
| **Horizon** | Dashboard exists, returns 403 |

### 869 Admin Routes by Category
| Route Group | Description |
|-------------|-------------|
| /admin/asambleas/* | Assembly management (participants, voting, imports) |
| /admin/candidaturas/* | Candidacy approval/rejection workflow |
| /admin/campanas/* | Campaign management (email, WhatsApp, SMS templates) |
| /admin/contratos/* | Contract management (CRUD, evidence, obligations) |
| /admin/convocatorias/* | Calls/elections management |
| /admin/coordinadores/* | Coordinator assignments |
| /admin/cursos/* | Training courses (enrollment, content, reporting) |
| /admin/dataops/* | Data operations with spreadsheets |
| /admin/divipol/* | Political division mapping (depts, municipalities, stations) |
| /admin/nodos/* | Node/chapter management |
| /admin/personas/* | Person records (search, CRUD, tags) |
| /admin/procesos-electorales/* | Electoral processes (results, witnesses, evidence) |
| /admin/testigos/* | Electoral witnesses management |
| /admin/votaciones/* | Voting management |
| /admin/api/otp-dashboard/* | OTP queue stats and job management |
| /admin/api/files/* | File upload/download/delete |
| /admin/configuracion/* | System config (auth, email, legal, registration) |

---

## 5.5 Nube — nube.colombiahumana.co

| Field | Value |
|-------|-------|
| **Platform** | Nextcloud 30.0.6.2 |
| **Product Name** | Nube Colombia Humana |
| **Critical App** | **impersonate** (admin can act as any user) |
| **Other Apps** | snappymail, libresign, forms, groupfolders, logreader |
| **Federated Sharing** | ENABLED |
| **Auth** | Login page only — no public data |

---

## 5.6 Subdomain Inventory

| Status | Subdomains |
|--------|-----------|
| **Live** | agora, crm, decidim, asamblea, nube, www, link (SMTP2GO) |
| **Catch-all** | civis, roundcube, office (all serve Delegates Portal) |
| **Dead/timeout** | api, api2, app, votaciones, chat, sandbox, dev, laravel, formacion, desk, soporte, plataforma, participa, reunion, webmail, wpapi, wpapi2, comunidad, collab, aws (+20 more) |
| **Email service** | link.colombiahumana.co — SMTP2GO tracking/link management |

---

# 6. POLICE AI PLATFORM

## *.ia.policia.gov.co — 5 Subdomains

| Subdomain | Purpose | Framework | Status |
|-----------|---------|-----------|--------|
| app.ia.policia.gov.co | Main AI platform | Next.js | Login page |
| nadia.ia.policia.gov.co | NADIA AI assistant | Vite React SPA | Login page |
| maps.analytics.ia.policia.gov.co | Geospatial analytics | Kepler.gl | SPA |
| catalog.ia.policia.gov.co | Data catalog BFF | Backend | Login redirect |
| iam.ia.policia.gov.co | Identity/access mgmt | Auth server | Auth |

---

## 6.1 Main Platform — app.ia.policia.gov.co

- **Framework**: Next.js
- **Auth**: Login page with pre-signed S3 URLs
- **AWS Account**: 926162397524
- **S3 Bucket**: `pon-prod-ai-platform-926162397524`
- **STS Credentials**: Fresh temporary credentials on EVERY page load (15-min expiry)
- **Session cookies**: secret=ogPXHONRigakoecq, ds expires 2035

---

## 6.2 NADIA AI — nadia.ia.policia.gov.co

- **Framework**: Vite React SPA
- **Bundle**: 2.4MB (fully extracted and analyzed)
- **Cognito User Pool**: us-east-1_s8S1IYnxv
- **API Gateway**: `qb4jva2046.execute-api.us-east-1.amazonaws.com`
- **10 AI Models** via Amazon Bedrock (see Section 3.2)

---

## 6.3 Maps Analytics — maps.analytics.ia.policia.gov.co

- **Platform**: Kepler.gl map visualization (React SPA)
- **Vendor**: **Houndoc.ai** (www.houndoc.ai) — Colombian AI startup
  - Services: document parsing, semantic search, data extraction, map visualization
  - Map tiles: `www.houndoc.ai/maps-assets/` (streets-dark, streets-light, streets)
- **Backend**: `catalog.ia.policia.gov.co/bff` (login-protected)
- **IAM**: `iam.ia.policia.gov.co`
- **Bundle**: 345KB JS bundle extracted

---

## 6.4 Other Subdomains

- **aisearchengine.ia.policia.gov.co** — Redirects (307)
- **catalog.ia.policia.gov.co** — Backend-for-frontend, login redirect
- **iam.ia.policia.gov.co** — Identity/access management server

---

# 7. PII EXPOSURE DETAIL

## 7.1 Delegate Records (1,870)

| Field | Description | Example |
|-------|-------------|---------|
| confirmacion | Confirmation status | 0 or 1 |
| departamento | Department/region | "Valle", "Bogota DC" |
| municipio | Municipality | City name |
| nombres | First names | Full first name(s) |
| apellidos | Last names | Full surname(s) |
| cedula | National ID number | 10-digit cedula |

**1,285 confirmed** + **585 unconfirmed** across **36 departments**
Special categories: Afro (51), Indigenas (12), LGTBIQA+ (58), Internacional (66), JNC (4)

## 7.2 Cedula Document

Physical national ID document (cedula-76.pdf) uploaded via Formidable Forms and publicly downloadable from WordPress media API.

## 7.3 Form PII Fields

The Registro Afiliados form (Form 10) collects:
- Full name, document type, document number (cedula)
- Date of birth, email, phone, address
- Gender, sexual orientation (LGBTQ+)
- Disability status, ethnicity
- Displacement/victim status
- Photo of ID document (upload)

---

# 8. RECONNAISSANCE & SUBDOMAIN ENUMERATION

## 8.1 Mass Subdomain Probe — 60 Targets, 16 Agencies

Probed via crt.sh certificate transparency enumeration. Each target tested against 5 URL patterns with 20 concurrent workers.

### Results Summary

| Category | Count | Details |
|----------|-------|---------|
| **Open ArcGIS** | 4 | sig.car.gov.co, sig.catastrobogota.gov.co, serviciosgis.catastrobogota.gov.co, geovisor.anh.gov.co |
| **GeoServer** | 1 | datosgeograficos.car.gov.co (ArcGIS Hub portal) |
| **Alive restricted** | 6 | See below |
| **Dead/unreachable** | 49 | See below |

### Alive But Restricted (6)
| Target | Status |
|--------|--------|
| maps.analytics.ia.policia.gov.co | Kepler.gl SPA (200, not ArcGIS) |
| sigt.mintransporte.gov.co | Empty response |
| sigtdev.mintransporte.gov.co | Empty response |
| geoweb.smartmetospa.ideam.gov.co | Weather GeoWeb app |
| geourbana.car.gov.co | WAF blocked |
| sigriobogota.car.gov.co | 403 Forbidden |

### Dead/Unreachable (49)
**Police internal**: srvgis1-8, srvsigponal1-2, srvsigadmin, sigexterno, sigaplica, sigcarto, sigponalext1-2, sigponalapp1-2, portalgis1-2
**Military**: armada-dicodarc, armada-sigeda, armada-registro, fac-sigsa
**DANE**: geoportal, geoserver, sige
**Other agencies**: ANM (mining), SGC (geological), land restitution (3), land agency (2), Fiscalia (2), INVIAS, ICA (2), IDEAM, ANH-geoportal, ANH-dataroom, CAR (sigu, sigci, geoambiental)

## 8.2 WAF-Protected Sites
- **www.fiscalia.gov.co** — F5 ASM WAF blocks .env/.git probes
- **www.mindefensa.gov.co** — WAF blocks all dot-file requests

## 8.3 Colombia Humana Subdomains (57)
Enumerated via crt.sh — see Section 5.6 for full inventory.

---

# 9. DATA INVENTORY & FILE INDEX

## 9.1 Dump Directory Summary

| Directory | Size | Files | Source | Status |
|-----------|------|-------|--------|--------|
| arcgis/ | 2.0GB | 241 | ergit.presidencia.gov.co | Complete |
| arcgis-dnp/ | 841MB | 199 | gis.dnp.gov.co | Complete |
| arcgis-upra/ | 12GB | 118 | sig.upra.gov.co | Complete |
| arcgis-car/ | 5.8GB | 54 | sig.car.gov.co | Complete |
| arcgis-catastro-bogota/ | 2.4GB | 175 | sig.catastrobogota.gov.co | Complete |
| arcgis-anh/ | 614MB | 124 | geovisor.anh.gov.co | Complete |
| arcgis-contraloria/ | 95MB | 40 | gis.contraloria.gov.co | Complete |
| arcgis-parques/ | 2.5GB | 29 | mapas.parquesnacionales.gov.co | Complete |
| arcgis-minambiente/ | 330MB | 10 | sig.minambiente.gov.co | Complete |
| colombia-humana/ | 2.0MB | 65 | *.colombiahumana.co | Complete |
| police-ai/ | 2.9MB | 19 | *.ia.policia.gov.co | Complete |
| **TOTAL** | **~26GB** | **1,096** | **11 sources** | **ALL COMPLETE** |

---

## 9.2 Credentials & Infrastructure Files

| File | Size | Description |
|------|------|-------------|
| colombia-humana/gcp-service-account-key.json | 2.4KB | FULL GCP RSA private key |
| police-ai/aws-credentials-extracted.json | 574B | AWS STS creds + account info |
| police-ai/nadia-infrastructure.json | 1.2KB | Cognito, API Gateway, Bedrock models |
| police-ai/nadia-app-bundle.js | 2.4MB | Full NADIA Vite JS bundle |
| police-ai/maps-analytics-bundle.js | 345KB | Maps Analytics JS bundle |
| police-ai/maps-analytics-endpoints.json | 857B | Extracted endpoints + vendor info |
| police-ai/app-login-page.html | 16KB | Police AI login with pre-signed S3 URLs |
| police-ai/app-next-data.json | 16KB | Next.js build data with S3 endpoints |
| police-ai/app-graphql-schema.json | 17KB | GraphQL schema |
| police-ai/maps-analytics.html | 2.4KB | Maps Analytics Kepler.gl page |
| police-ai/nadia-page.html | 1.1KB | NADIA AI page |
| police-ai/nadia-api-chat.json | 1.1KB | API probe |
| police-ai/nadia-api-root.json | 1.1KB | API probe |
| police-ai/nadia-api-v1.json | 1.1KB | API probe |
| police-ai/nadia-graphql-schema.json | 1.1KB | GraphQL probe |
| police-ai/nadia-health.json | 1.1KB | Health check probe |
| police-ai/aisearchengine.html | 2.0KB | AI Search Engine page |
| police-ai/catalog.html | 1.6KB | Catalog page |

---

## 9.3 Colombia Humana Party Files

| File | Size | Description |
|------|------|-------------|
| decidim-confirmados.json | 267KB | 1,870 delegate records (names + cedulas) |
| agora-routes.json | 191KB | 869 Laravel admin routes |
| agora-page.html | 141KB | Agora full page + Ziggy config |
| portal-forms.json | 59KB | 20 form structures |
| form-afiliados-fields.json | 64KB | Affiliate registration form |
| form-10-fields.json | 64KB | Form 10 field definitions |
| form-15-fields.json | 66KB | Form 15 field definitions |
| form-18-fields.json | 63KB | Form 18 field definitions |
| form-6-fields.json | 58KB | Departmental assembly form |
| form-12-fields.json | 43KB | Disaffiliation form |
| form-3-fields.json | 40KB | Assembly confirmation form |
| form-11-fields.json | 33KB | Node creation form |
| form-2-fields.json | 33KB | Form 2 fields |
| form-14-fields.json | 37KB | Jury nomination form |
| form-8-fields.json | 26KB | Form 8 fields |
| form-16-fields.json | 18KB | Form 16 fields |
| form-19-fields.json | 18KB | Form 19 fields |
| form-1-fields.json | 15KB | Form 1 fields |
| form-22-fields.json | 16KB | Form 22 fields |
| form-7-fields.json | 16KB | Form 7 fields |
| form-21-fields.json | 12KB | Form 21 fields |
| form-4-fields.json | 8KB | Form 4 fields |
| form-24-fields.json | 7KB | Form 24 fields |
| form-23-fields.json | 6KB | Form 23 fields |
| form-20-fields.json | 6KB | Form 20 fields |
| crm-media.json | 382KB | CRM media library |
| crm-gh-v4.json | 38KB | Groundhogg CRM v4 API (181 routes) |
| crm-gh-v3.json | 13KB | Groundhogg CRM v3 API |
| crm-wordfence.json | 2.4KB | Wordfence status |
| portal-media-p1.json | 52KB | WP media (cedula PDFs) |
| portal-confirmardatos.html | 36KB | Cedula confirmation page |
| nube-login.html | 18KB | Nextcloud login with config |
| decidim-delegates-portal.html | 13KB | Delegates portal source |
| portal-frm-v2.json | 7KB | Formidable Forms API routes |
| crm-pages.json | 3KB | CRM pages |
| form-delegados.json | 3KB | Delegate form |
| form-registro-afiliados.json | 3KB | Registration form |
| form-jurados-2025.json | 3KB | Jury form |
| form-suscripcion.json | 3KB | Subscription form |
| portal-users.json | 2.4KB | 3 WP admin users |
| crm-posts.json | 2KB | CRM posts |
| portal-ch-v1.json | 800B | Custom ch/v1 API |
| portal-active-users.json | 640B | GA debug leak |
| decidim-urls.txt | 471B | Decidim URL list |
| nube-status.json | 170B | Nextcloud server info |
| nube-serverinfo.json | 101B | Server capabilities |
| crm-users.json | 117B | CRM users (auth required) |
| crm-contacts.json | 105B | Contacts (auth required) |
| crm-companies.json | 105B | Companies (auth required) |
| crm-emails.json | 105B | Emails (auth required) |
| crm-broadcasts.json | 105B | Broadcasts (auth required) |
| crm-fields.json | 105B | Fields (auth required) |
| crm-properties.json | 105B | Properties (auth required) |
| crm-reports.json | 105B | Reports (auth required) |
| crm-searches.json | 105B | Searches (auth required) |
| crm-tags.json | 105B | Tags (auth required) |
| portal-entries.json | 119B | Form entries (403) |
| portal-test.json | 15B | Test endpoint |
| nube-capabilities.json | 31B | Capabilities |
| nube-shares.json | 0B | Shares (empty) |
| agora-ziggy-routes.txt | 0B | Raw route text |

---

## 9.4 Key ArcGIS Data Files by Size

### Presidential (arcgis/)
| File | Size | Content |
|------|------|---------|
| Municipio_Victimas_data | 320MB | Municipality victim data |
| Resguardos_Afectacion | 184MB | Indigenous reserve ethnic impact |
| Afectaciones Firmantes H1 2025 | 92MB | Peace signatory attacks |
| Consejos_Afectacion | 85MB | Community council ethnic impact |
| MatrizDepartamental | 77MB | Departmental matrix |
| MujeresLibresViolencia | 77MB | Women free from violence |
| Clan del Golfo - AGC | 35MB | Armed group territory |
| DDHH_MEDICINA_LEGAL | 34MB | Forensic medicine data |
| ELN | 17MB | ELN territory |

### UPRA (arcgis-upra/)
| File | Size | Content |
|------|------|---------|
| Cypress zoning | 3.9GB | Cupressus lusitanica aptitude |
| Shrimp zoning | 858MB | Camaron blanco aptitude |
| Beekeeping zoning | 610MB | Apiculture aptitude |
| Acacia zoning | 520MB | Acacia mangium aptitude |
| Cachama zoning | 450MB | Cachama aquaculture |
| Ceiba zoning | 446MB | Bombacopsis quinata |
| Municipality boundaries 2026 | 246MB | MGN |

### Contraloria (arcgis-contraloria/)
| File | Size | Records | Content |
|------|------|---------|---------|
| VW_PROYECTOS_APPUI | 27MB | 21,791 | Gov infrastructure projects |
| capa_deptos | 33MB | 33 | Department polygons |
| VW_PROYECTOS_CONTRATACION | 4.2MB | 4,165 | Procurement |
| VW_PROYECTOS_MEGAOBRAS | 112KB | 100 | Major works |

### Parques (arcgis-parques/)
| File | Size | Content |
|------|------|---------|
| Coberturas_2019 | 518MB | 2019 land cover (25K) |
| Coberturas_2021 | 189MB | 2021 land cover |
| Zonificacion_PNN | 146MB | Park zoning |
| Coberturas_2002 | 143MB | Historical land cover |
| Conservation priorities | 106MB | 16,437 areas |

---

# 10. METHODOLOGY & TOOLS

## 10.1 Approach

1. **Subdomain enumeration** — crt.sh certificate transparency for *.gov.co GIS domains + *.colombiahumana.co
2. **Mass probing** — 60 targets across 16 agencies, 5 URL patterns each, 20 concurrent workers
3. **ArcGIS REST enumeration** — Catalog discovery, folder/service enumeration, layer listing
4. **Data extraction** — Paginated feature queries (5,000 records per batch, exceededTransferLimit handling)
5. **Web application analysis** — WordPress REST API, Laravel Ziggy routes, Next.js/Vite bundle analysis
6. **Credential extraction** — GCP service account key, AWS STS tokens, Cognito pool IDs from JS bundles

## 10.2 Scripts

| Script | Description |
|--------|-------------|
| arcgis_dumper.py | Presidential ArcGIS service enumerator & feature dumper |
| dnp_arcgis_dumper.py | DNP ArcGIS dumper |
| upra_arcgis_dumper.py | UPRA ArcGIS dumper (dual arcgis/server endpoint) |
| contraloria_parques_dumper.py | Contraloria + Parques dumper |
| arcgis_discovery.py | Multi-domain ArcGIS server scanner |
| mass_probe.py | 60-target mass subdomain prober (ThreadPoolExecutor, 20 workers) |
| wave2_dumper.py | CAR + Bogota Cadastre + ANH dumper |

## 10.3 Supporting Data Files

| File | Description |
|------|-------------|
| crtsh_gis_subdomains.json | crt.sh subdomain enumeration results |
| mass_probe_results.json | Full probe results for all 60 targets |
| upra_dump.log | UPRA dumper execution log |

---

# IMPACT SUMMARY

| Category | Count | Data Volume |
|----------|-------|-------------|
| ArcGIS servers (no auth) | 9 | ~26GB |
| Credentials exposed | 5 (GCP key, AWS STS, Cognito, CSRF, session cookies) | — |
| PII records | 1,870 delegates (names + national ID) | 267KB |
| Admin users enumerated | 3 WordPress + Cognito pool | — |
| API routes mapped | 1,050+ (869 Agora + 181 CRM) | — |
| PII collection forms | 20 structures | — |
| Government project records | 26,089 | 31MB |
| Oil/gas wells with GPS | 27,274 | 16MB |
| Property valuations | Full Bogota city | 2.4GB |
| Military/intelligence services | 22+ (IHEH, CTT, DDHH, armed groups) | 2.8GB |
| National park features | 23,000+ | 2.5GB |
| Hydrocarbon land parcels | 28 historical snapshots (2004-2025) | 614MB |
| Agricultural zoning maps | 30+ crop types | 12GB |
| Environmental cartography | Watersheds, mining, protected areas | 5.8GB |
| AI models identified | 10 (Amazon Bedrock) | — |
| Subdomains enumerated | 117 (57 Colombia Humana + 60 GIS) | — |
| **GRAND TOTAL** | **1,096 files** | **~26GB** |

---

*Report generated: 2026-02-25*
*Dump directory: C:\Users\Squir\Desktop\COLOMBIA\DUMP 2_25_2026*