# Colombia Humana — Political Party Infrastructure ## *.colombiahumana.co ## SEVERITY: CRITICAL **Dump Size**: 2.0MB, 65 files **Subdomains Found**: 57 (via crt.sh) --- ## Targets & Findings ### 1. GCP Service Account Key (CRITICAL) - **URL**: /portal/wp-content/themes/colombiahumana/colombia-humana-2024-ea35973a5d65.json - **Project**: colombia-humana-2024 - **Email**: google-analytics-asamblea-2024@colombia-humana-2024.iam.gserviceaccount.com - **Full RSA private key downloaded** — can authenticate as this service account - **File**: `gcp-service-account-key.json` ### 2. Delegate PII Database (CRITICAL) - **URL**: decidim.colombiahumana.co/index.php?action=get_confirmados - **Records**: 1,870 delegates (names + cedula numbers) — NO AUTH - **Cedula lookup**: POST with cedula returns masked email - **Departments**: 36 (including special: Afro, Indigenas, LGTBIQA+, Internacional, JNC) - **File**: `decidim-confirmados.json` (267KB) ### 3. Agora Platform — 869 Routes Exposed (HIGH) - **URL**: agora.colombiahumana.co - **Framework**: Laravel + Inertia.js + Vue (Sanctum auth) - **CSRF Token**: A19TNRvHnFhVqYv8tVp0e9CghWMSJ89MyeZyVN6F - **Route categories**: Assemblies, candidacies, campaigns (email/WhatsApp/SMS), contracts, electoral processes, voters, witnesses, OTP dashboard, file management, system config - **File**: `agora-routes.json` (191KB) ### 4. WordPress Portal (HIGH) - **URL**: www.colombiahumana.co/portal - **Server path**: /www/wwwroot/colombiahumana.co/portal/ - **Admin users**: danielb (ID:1), luischavarria (ID:3), nuevo2024luischavarria (ID:139585) - **XMLRPC**: ENABLED (brute force vector) - **20 Formidable forms** — PII collection structures (registration, assemblies, etc.) - **Media uploads**: Cedula PDFs, affiliation/disaffiliation letters publicly downloadable - **GA Property ID**: 469597137 ### 5. CRM (MEDIUM) - **URL**: crm.colombiahumana.co - **Platform**: WordPress + Groundhogg CRM - **181 API routes** mapped (contacts, companies, emails, broadcasts, funnels, campaigns) - **XMLRPC**: ENABLED - **Wordfence WAF** present - **Files**: `crm-gh-v3.json`, `crm-gh-v4.json` ### 6. Nextcloud (MEDIUM) - **URL**: nube.colombiahumana.co - **Version**: 30.0.6.2 - **Critical app**: **impersonate** — admin can act as any user - **Other apps**: snappymail, libresign, forms, groupfolders - **Federated sharing**: ENABLED --- ## Subdomain Inventory | Status | Subdomains | |--------|-----------| | **Live** | agora, crm, decidim, asamblea, nube, www, link (SMTP2GO) | | **Catch-all** | civis, roundcube, office (serve Delegates Portal) | | **Dead** | api, api2, app, votaciones, chat, sandbox, dev, laravel, formacion, desk, soporte, plataforma, participa, reunion, webmail, wpapi, wpapi2, comunidad, collab, aws (+20 more) | --- ## Files Index ### Credentials & Infrastructure | File | Size | Description | |------|------|-------------| | gcp-service-account-key.json | 2.4KB | FULL GCP RSA private key | | portal-active-users.json | 640B | GA leak + server path | | portal-users.json | 2.4KB | 3 WordPress admin users | ### PII & Party Data | File | Size | Description | |------|------|-------------| | decidim-confirmados.json | 267KB | 1,870 delegate records | | agora-routes.json | 191KB | 869 Laravel admin routes | | agora-page.html | 141KB | Full page + Ziggy config | | portal-forms.json | 59KB | 20 form structures | | form-*-fields.json | ~500KB | 20 individual form fields | ### CRM | File | Size | Description | |------|------|-------------| | crm-gh-v4.json | 38KB | CRM v4 API schema (181 routes) | | crm-gh-v3.json | 13KB | CRM v3 API schema | | crm-media.json | 382KB | CRM media library | | crm-wordfence.json | 2.4KB | Wordfence status | ### Nextcloud | File | Size | Description | |------|------|-------------| | nube-login.html | 18KB | Login page with full config | | nube-status.json | 170B | Server info (v30.0.6.2) | ### Other | File | Size | Description | |------|------|-------------| | portal-media-p1.json | 52KB | WP media (cedula PDFs) | | portal-confirmardatos.html | 36KB | Cedula confirmation page | | decidim-delegates-portal.html | 13KB | Delegates portal source |