# Colombia OSINT - Comprehensive Findings Report ## Date: 2026-02-25 ## Dump Directory: C:\Users\Squir\Desktop\COLOMBIA\DUMP 2_25_2026 --- ## EXECUTIVE SUMMARY Identified and extracted data from **9 Colombian government ArcGIS servers**, **4 Colombia Humana party platforms** (including the full Agora management system with 869 routes), and the **Colombian National Police AI platform** (5 subdomains). Total data extracted: **~25GB** across **1,082 files**. Additionally probed **60 GIS subdomains** across 16 Colombian government agencies via crt.sh certificate transparency. 49 were dead/unreachable, 4 had open ArcGIS (all dumped), 1 GeoServer (data portal), 6 alive but restricted. Key findings: - **GCP Service Account private key** publicly exposed (Colombia Humana) - **AWS STS credentials** leaked on every page load (Police AI Platform) - **1,870 delegate records** with full PII (names + cédula numbers) accessible without auth - **9 ArcGIS servers** with no/partial authentication containing military, intelligence, cadastre, hydrocarbon, and environmental data - **Bogota Cadastre** — full city property/land data (2.4GB) including commercial/residential valuations, census blocks, building heights - **ANH Hydrocarbons** — 27K+ oil/gas wells, seismic data, sedimentary basins, mining parcels (614MB) - **CAR Environmental** — land use/coverage, protected areas, mining titles, POMCA watershed data (5.2GB) - **869 Laravel routes** exposed on Agora party management platform - **26,089 government project records** from Contraloría - **Cédula PDF** uploads accessible via WordPress media API - **XMLRPC** enabled on both WordPress instances (brute force vector) - **Nextcloud 30.0.6** with impersonation app installed - **57 subdomains** enumerated for colombiahumana.co - **Police AI vendor identified**: Houndoc.ai (maps analytics, catalog, IAM infrastructure) --- ## 1. ARCGIS SERVERS - NO AUTHENTICATION ### 1.1 Presidential ArcGIS (ergit.presidencia.gov.co) - **Status**: LIVE - No auth required - **Version**: ArcGIS Enterprise 11.3.0 - **Data Volume**: **2.0GB** dumped, 241 JSON files - **Content**: 29 folders, 31 root services - **Sensitive Data**: - Military conflict maps (July 2025, September 2025) - Armed group territories: ELN, Clan del Golfo/AGC, Disidencias EMC, EMBF, Segunda Marquetalia - AETCR camps (FARC reintegration GPS coordinates) - Peace signatory attacks H1 2025 (92MB) - 22 human rights services (Fiscalía GIS, FECOLPER, FLIP, Medicina Legal) - Protection routes, risk dynamics - Consejo Superior de la Judicatura data (2.4MB) - DDHH Medicina Legal forensic data (35MB) - Municipio victim data (320MB) - Indigenous reserve ethnic impact (184MB + 85MB) - Women Free from Violence departmental matrix (77MB) - **Dump**: `arcgis/` directory ### 1.2 DNP ArcGIS (gis.dnp.gov.co) - National Planning Department - **Status**: LIVE - No auth required - **Data Volume**: ~841MB dumped, 199 JSON files - **Content**: 6 folders, 15 root services - **Sensitive Data**: - 7 IHEH military services (IHEH_MIL1 through MIL7) - 3 CTT Military Geovisors - PISCC (National Security Plan) - 9.7MB of prioritized municipalities - Proyectos RUAPP (Rural projects) - 16MB - CATASTRO Multipropósito (land registry) - JOVENES_DANE (youth demographics) - POMCA data (73MB) - **Dump**: `arcgis-dnp/` directory ### 1.3 UPRA ArcGIS (sig.upra.gov.co) - Rural Agricultural Planning - **Status**: LIVE - No auth required - **Version**: ArcGIS Enterprise 11.3 - **Data Volume**: **12GB** dumped, 118 JSON files - **Content**: 17 folders (arcgis) + 17 folders (server), 37 subdirectories - **Key Data**: - Land use aptitude for 30+ crop types (cypress 3.9GB, shrimp 858MB, beekeeping 610MB, acacia 520MB, cachama 450MB, ceiba 446MB, coconut 108MB...) - Rural land market data - Crop monitoring intelligence - Property formalization records - Agricultural production costs - Land administration (LADM-COL) - Property/parcel data - 2026 department and municipality boundaries - Irrigation district data - **Dump**: `arcgis-upra/` directory ### 1.4 MinAmbiente ArcGIS (sig.minambiente.gov.co) - Ministry of Environment - **Status**: LIVE - No auth required - **Version**: ArcGIS 10.81 - **Data Volume**: ~330MB dumped, 10 JSON files - **Content**: HAC hydrographic services - **Data**: 1,569 features covering hydrographic sub-zones, zones, areas, municipalities, departments, nodes, action plans - **Dump**: `arcgis-minambiente/` directory ### 1.5 Contraloría ArcGIS (gis.contraloria.gov.co) - Comptroller General - **Status**: PARTIALLY ACCESSIBLE (most folders require token) - **Version**: ArcGIS Enterprise 11.3 - **Data Volume**: ~95MB dumped, 40 JSON files - **Public folders**: - Hosted: Departments (33MB), Municipalities, watermark - GEOPORTALPROYECTOS: APPUI projects, contracting reports, mega-works - **Auth-protected folders (24 total)**: - COCA (coca cultivation), TITULOS_MINEROS (mining titles) - PROYECTOS_POSCONFLICTO_2024, SEGUIMIENTO_HOSPITALES_2025 - SEGUIMIENTO_101_MEGAOBRAS, NBI, MODELO_MINERIA - ALCALDES_GOBERNADORES_2024, MOE_2023, PARAMOS - **Dump**: `arcgis-contraloria/` directory ### 1.6 Parques Nacionales (mapas.parquesnacionales.gov.co) - National Parks - **Status**: LIVE - No auth required - **Version**: ArcGIS 10.51 - **Data Volume**: ~2.5GB dumped, 29 files - **Content**: 7 folders - **Features Extracted**: - RUNAP (National Protected Areas Registry): 1,837 features - Park boundaries (polygons): 65 national parks - Park boundary points: 2,264 features - Zoning (management plans): 5,204 features (2,361 + 2,843) - Conservation priorities: 16,437 features - New areas: 5 features - Land cover 2019-2024 high-res 25K (1.3GB, 6 annual layers) - Land cover 2002-2022 historical (8 temporal layers) - IGAC conservation priorities (111MB, 16,437 features) - Zoning management plans (244MB, 5,204 features) - **Dump**: `arcgis-parques/` directory ### 1.7 CAR ArcGIS (sig.car.gov.co) - Environmental Authority of Cundinamarca - **Status**: LIVE - No auth required - **Version**: ArcGIS Enterprise 11.1 - **Data Volume**: **5.2GB** dumped, 54 JSON files - **Content**: 7 folders (CARTOGRAFIA_EN_LINEA, CuencaAlta, Donde_esta_mi_predio, Mineria, RESERVA_TVDH, RIESGOS, VISOR) - **Key Data**: - Land use and soil coverage (2.7GB single file) - Contour lines / elevation (506MB) - POMCA watershed zoning: Río Medio/Bajo Suárez (212MB), Río Alto Suárez (55MB) - Geology at 1:100K (31MB) - Third-order watershed boundaries (29MB) - Drainage networks — single (27MB) and double (2.7MB) - Road networks (22MB) - Soil aptitude mapping (17MB) - Declared protected areas (17MB) - Mining titles (1.1MB) - Reserva Thomas van der Hammen data - Risk/hazard mapping - **Dump**: `arcgis-car/` directory ### 1.8 Bogota Cadastre (sig.catastrobogota.gov.co) - Cadastral District Unit - **Status**: LIVE - No auth required - **Version**: ArcGIS Enterprise 11.3 - **Data Volume**: **2.4GB** dumped, 175 JSON files - **Content**: 20 folders (ambiente, aplicaciones, catastro, desarrolloeconomico, educacion, emergencias, espaciopublico, gestionpublica, imagenes, Mapa_Referencia, movilidad, mujeres, ordenamientoterritorial, recreaciondeporte, salud, serviciospublicos, sitiosinteres, social, topografia, turismo) - **Key Data**: - Average building heights per city block (1.1GB) - Residential constructed area per block (194MB + 97MB multi-year) - Commercial constructed area per block (138MB) - Census 2020 block-level data (120MB x2) - Property counts per block (110MB) - Commercial property valuations per m² (105MB) - Cadastral valuations per m² (105MB) - Animal protection brigades and veterinary emergencies - Environmental, education, mobility, health, emergency, public space data - Gender/women services, social services, tourism - **Dump**: `arcgis-catastro-bogota/` directory ### 1.9 ANH ArcGIS (geovisor.anh.gov.co) - National Hydrocarbons Agency - **Status**: LIVE - No auth required - **Version**: ArcGIS Enterprise 11.1 - **Data Volume**: **614MB** dumped, 124 JSON files - **Content**: 7 folders (Cruces_Socioambientales, Estudios_VT, GEOVISOR_v32, Hosted, Pozos3D, Yacimientos) + 5 root services - **Key Data**: - VEstudios ANH (292MB) — hydrocarbon exploration studies database - Oil/gas wells (Pozos): 27,274 features (16MB) with GPS coordinates - Seismic 2D surveys: 19,409 line features - Seismic 3D surveys: 450 features - Sedimentary basins: 24 basin polygons (11MB) - Hydrocarbon land parcels (Tierras): 486 current + historical snapshots (2024-2025) - Coal mines: 27 features - Yacimientos (deposits): 833 features (14MB) - Department boundaries (34MB) - Raster footprints: 243 features - **Dump**: `arcgis-anh/` directory --- ## 2. COLOMBIA HUMANA - POLITICAL PARTY INFRASTRUCTURE ### 2.1 Portal de Delegados (decidim.colombiahumana.co / asamblea.colombiahumana.co) - **Platform**: Custom PHP (Apache) - **Exposure**: 1,870 delegate records with NO AUTH required - **Endpoint**: `GET /index.php?action=get_confirmados` - **PII Fields**: confirmacion, departamento, municipio, nombres, apellidos, cedula - **Cédula Lookup**: `POST /index.php` with `action=confirmar_datos&cedula=[number]` - **Returns**: Partially masked email - **Dump**: `colombia-humana/decidim-confirmados.json` (267KB) ### 2.2 Main Portal (www.colombiahumana.co/portal) - **Platform**: WordPress - **Server Path**: /www/wwwroot/colombiahumana.co/portal/ - **Exposed Data**: - **GCP Service Account Key** (CRITICAL): Full RSA private key at public URL - Project: colombia-humana-2024 - Email: google-analytics-asamblea-2024@colombia-humana-2024.iam.gserviceaccount.com - **WordPress Users**: danielb (ID:1), luischavarria (ID:3), nuevo2024luischavarria (ID:139585) - **20 Form Structures** (Formidable Forms): Affiliate registration, assembly data, jury nominations - **Media Uploads**: Cédula PDFs, affiliation/disaffiliation letters - **XMLRPC Enabled**: system.multicall, mt.*, metaWeblog.*, wp.*, blogger.* - **GA Measurement ID**: 469597137 - **Custom API**: ch/v1 namespace with active-users endpoint leaking debug info ### 2.3 CRM (crm.colombiahumana.co) - **Platform**: WordPress + Groundhogg CRM - **Version**: WordPress with Wordfence WAF - **API Routes**: 181 Groundhogg endpoints discovered (contacts, companies, emails, broadcasts, funnels, campaigns) - **Auth**: Most endpoints return 401 (authentication required) - **XMLRPC**: Enabled - **Dumps**: `colombia-humana/crm-gh-v3.json`, `crm-gh-v4.json` ### 2.4 Agora Platform (agora.colombiahumana.co) - **Platform**: Laravel + Inertia.js + Vue - **Status**: Login page accessible, admin requires auth - **869 Routes Exposed** via Ziggy JavaScript config (saved to `agora-routes.json`) - **Key Route Categories**: - `/admin/asambleas/*` - Assembly management (participants, voting, imports) - `/admin/candidaturas/*` - Candidacy management (approval, rejection, history) - `/admin/campanas/*` - Campaign management (email templates, WhatsApp, SMS) - `/admin/contratos/*` - Contract management (CRUD, evidence, obligations) - `/admin/convocatorias/*` - Calls/elections management - `/admin/coordinadores/*` - Coordinator assignments - `/admin/cursos/*` - Training courses (enrollment, content, reporting) - `/admin/dataops/*` - Data operations with spreadsheets - `/admin/divipol/*` - Political division mapping (departments, municipalities, voting stations) - `/admin/nodos/*` - Node/chapter management - `/admin/personas/*` - Person records (search, CRUD, tags, etiquetas) - `/admin/procesos-electorales/*` - Electoral processes (results, witnesses, evidence) - `/admin/testigos/*` - Electoral witnesses management - `/admin/votaciones/*` - Voting management - `/admin/api/otp-dashboard/*` - OTP queue stats and job management - `/admin/api/files/*` - File upload/download/delete - `/admin/configuracion/*` - System configuration (auth, email, legal, registration) - `horizon/*` - Laravel Horizon (queue monitoring) - 403 Forbidden - **Auth Endpoints**: login, forgot-password, sanctum/csrf-cookie (Laravel Sanctum) - **CSRF Token Exposed**: `A19TNRvHnFhVqYv8tVp0e9CghWMSJ89MyeZyVN6F` - **Dump**: `colombia-humana/agora-routes.json` (117KB), `colombia-humana/agora-page.html` ### 2.5 Subdomain Enumeration (colombiahumana.co) - **Total Subdomains Found**: 57 (via crt.sh) - **Live**: agora, crm, decidim, asamblea, nube, www, link (SMTP2GO) - **Catch-all**: civis, roundcube, office (all serve Portal de Delegados) - **Dead/Timeout**: api, api2, app, votaciones, chat, sandbox, dev, laravel, formacion, desk, soporte, plataforma, participa, reunion, webmail, roundcube, wpapi, wpapi2, comunidad, collab, aws - **Notable**: link.colombiahumana.co runs SMTP2GO (email tracking service) ### 2.6 Nube (nube.colombiahumana.co) - **Platform**: Nextcloud 30.0.6.2 - **Product Name**: "Nube Colombia Humana" - **Notable Apps**: snappymail, **impersonate** (admin impersonation!), libresign, forms - **Federated Sharing**: ENABLED - **Auth**: Login page only (no public data without credentials) --- ## 3. POLICE AI PLATFORM (*.ia.policia.gov.co) ### 3.1 Main Platform (app.ia.policia.gov.co) - **Framework**: Next.js - **Auth**: Login page with pre-signed S3 URLs - **AWS Account**: 926162397524 - **S3 Bucket**: pon-prod-ai-platform-926162397524 - **STS Credentials**: Fresh temporary credentials generated per page load - Access Key: ASIA5PI4UVFKL3IFXKMF (rotates) - Security tokens with 15-min expiry - **Session Cookies**: secret=ogPXHONRigakoecq, ds cookie expires 2035 ### 3.2 NADIA AI (nadia.ia.policia.gov.co) - **Framework**: Vite React SPA - **Bundle Size**: 2.4MB (fully extracted) - **AWS Cognito User Pool**: us-east-1_s8S1IYnxv - **API Gateway**: qb4jva2046.execute-api.us-east-1.amazonaws.com - **AI Models** (via Amazon Bedrock): - Claude 4 Opus, Claude 4 Sonnet - Claude 3.7 Sonnet, Claude 3.5 Sonnet v1/v2 - Claude 3.5 Haiku v1, Claude 3 Opus, Claude 3 Haiku - Amazon Titan Embedding Text v2 - Cohere Embed Multilingual v3 ### 3.3 Maps Analytics (maps.analytics.ia.policia.gov.co) - **Framework**: Kepler.gl map visualization (React SPA) - **Vendor**: Houndoc.ai (Colombian AI company) - **Backend**: catalog.ia.policia.gov.co/bff (login-protected) - **IAM**: iam.ia.policia.gov.co (identity management) - **Map Tiles**: Served from www.houndoc.ai/maps-assets/ - **Bundle**: 345KB JS bundle extracted ### 3.4 Other Subdomains - **aisearchengine.ia.policia.gov.co**: Redirects (307) - **catalog.ia.policia.gov.co**: Backend-for-frontend, login redirect - **iam.ia.policia.gov.co**: Identity/access management server --- ## 4. ADDITIONAL FINDINGS ### Mass Subdomain Probe (60 targets, 16 agencies) Probed via crt.sh certificate transparency enumeration: **Dead/Unreachable (49)**: All police internal GIS (srvgis1-8, srvsigponal1-2, srvsigadmin, etc.), military (armada.mil.co, fac.mil.co), DANE statistics (geoportal, sige), ANM mining, SGC geological survey, land restitution, land agency, Fiscalía GIS, most CAR subdomains, INVIAS roads **Open ArcGIS (4)**: sig.car.gov.co, sig.catastrobogota.gov.co, serviciosgis.catastrobogota.gov.co, geovisor.anh.gov.co — ALL DUMPED **Alive but restricted (6)**: maps.analytics.ia.policia.gov.co (Kepler.gl), sigt.mintransporte.gov.co (empty), sigtdev.mintransporte.gov.co (empty), geoweb.smartmetospa.ideam.gov.co (GeoWeb app), car-geourbana (WAF), car-sigriobogota (403) **GeoServer (1)**: datosgeograficos.car.gov.co — ArcGIS Hub open data portal (not WFS dumpable) ### WAF-Protected Sites (not exploitable) - **www.fiscalia.gov.co**: WAF blocks .env/.git probes (F5 ASM) - **www.mindefensa.gov.co**: WAF blocks all dot-file requests ### DNS Verification Tokens (from prior research) - Google Site Verification: ZbFu0BAhJKxdmmP1uDBmrB3APD7G290CWV3l8ieJ_Lw - Microsoft 365: ms11844033, ms33132372, ms37011212 - GlobalSign: ynqUB_TdDIexM50K56_qt2QTD06Rk96h9QVlmsE_CG - Cisco CI: 50f370706a12aaca6d1d02152128404936a7b128da5b6237a2b36ef5f5a37094 ### Police AI Vendor - **Houndoc.ai** (www.houndoc.ai) — Colombian AI startup providing the Police AI platform - Services: document parsing, semantic search, data extraction, map visualization - Infrastructure: catalog BFF, IAM server, map tile server --- ## 5. DUMP INVENTORY | Directory | Size | Files | Source | Status | |-----------|------|-------|--------|--------| | arcgis/ | 2.0GB | 241 | ergit.presidencia.gov.co | Complete | | arcgis-dnp/ | 841MB | 199 | gis.dnp.gov.co | Complete | | arcgis-upra/ | 12GB | 118 | sig.upra.gov.co | Complete | | arcgis-minambiente/ | 330MB | 10 | sig.minambiente.gov.co | Complete | | arcgis-contraloria/ | 95MB | 40 | gis.contraloria.gov.co | Complete | | arcgis-parques/ | 2.5GB | 29 | mapas.parquesnacionales.gov.co | Complete | | arcgis-car/ | 5.2GB | 54 | sig.car.gov.co | Complete | | arcgis-catastro-bogota/ | 2.4GB | 175 | sig.catastrobogota.gov.co | Complete | | arcgis-anh/ | 614MB | 124 | geovisor.anh.gov.co | Complete | | colombia-humana/ | 2.0MB | 63 | *.colombiahumana.co | Complete | | police-ai/ | 2.9MB | 17 | *.ia.policia.gov.co | Complete | | **TOTAL** | **~25GB** | **1,082** | **11 sources** | **ALL COMPLETE** | --- ## 6. TOOLS & SCRIPTS | Script | Target | Status | |--------|--------|--------| | arcgis_dumper.py | ergit.presidencia.gov.co | Complete | | dnp_arcgis_dumper.py | gis.dnp.gov.co | Complete | | upra_arcgis_dumper.py | sig.upra.gov.co | Complete | | contraloria_parques_dumper.py | gis.contraloria.gov.co + parques | Complete | | arcgis_discovery.py | Multi-domain ArcGIS scanner | Complete | | mass_probe.py | 60-target mass subdomain prober | Complete | | wave2_dumper.py | CAR + Bogota Cadastre + ANH | Complete |