# Haiti Financial & Oversight Agency Domain Sweep
**Date:** 2026-03-04 (Updated)
**Scope:** 15 financial/oversight .gouv.ht domains
**Method:** Passive OSINT - unauthenticated HTTP GET only

---

## EXECUTIVE SUMMARY

- **10 of 15 domains LIVE** and serving content
- **5 WordPress sites** identified (oni, ulcc, faes, oavct, ciat)
- **2 Laravel sites** identified (cnmp, infp)
- **1 October CMS site** identified (budget)
- **1 IIS/ASP.NET site** identified (omrh) -- HIGH INTEREST
- **1 static nginx site** identified (ofatma)
- **5 domains DOWN/blocked** (cscca, ucref, bhda, bmpad, ihsi)

### KEY FINDINGS

| Finding | Severity | Domain |
|---------|----------|--------|
| WP user enumeration (usernames exposed) | MEDIUM | oni, faes, oavct, ciat |
| IIS detailed errors + physical path disclosure | MEDIUM | omrh |
| Admin login panel exposed (no 2FA visible) | LOW-MED | omrh, budget, infp |
| Duplicator backup plugin installed | LOW-MED | faes |
| readme.html exposed (WP version fingerprint) | LOW | oni, ulcc, oavct |
| xmlrpc.php accessible (405/409 but present) | LOW | oavct |
| October CMS backend login exposed | LOW | budget |
| Bluehost shared hosting (host-header leak) | INFO | faes, infp |
| Hostinger hosting identified | INFO | oavct |
| WordPress 6.9.1 identified | INFO | faes, oavct, ciat |
| PHP 7.4.33 (EOL) | INFO | budget |

---

## DOMAIN-BY-DOMAIN RESULTS

---

### 1. budget.gouv.ht (Direction Generale du Budget)
**Status:** LIVE
**Stack:** Apache / PHP 7.4.33 / October CMS
**HTTPS:** Valid certificate, HTTP redirects to HTTPS

#### CMS: October CMS
- Generator tag: `DIRECTION GENERALE DU BUDGET` (custom)
- Session cookie: `october_session` (confirms October CMS)
- PHP 7.4.33 -- END OF LIFE (security support ended Nov 2022)
- Google Analytics: `G-27SLQ5ZGVJ`

#### Backend Admin Panel
- `/backend` -> 302 redirect to `/backend/backend/auth`
- `/backend/backend/auth/signin` -> **200 OK** (login form accessible)
- Standard October CMS admin login -- no CAPTCHA or 2FA visible

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /.git/HEAD | 404 (clean) |
| /.env | 404 (clean) |
| /web.config | 404 (clean) |
| /robots.txt | 404 (not configured) |
| /server-status | 404 |
| /phpinfo.php | 404 |
| /storage/ | 404 |
| /config/ | 404 |

**Assessment:** Reasonably hardened. Main risk is PHP 7.4 EOL and exposed admin login.

---

### 2. oni.gouv.ht (Office National d'Identification)
**Status:** LIVE
**Stack:** PHP 8.4.7 / WordPress / Yoast SEO / Akismet / Contact Form 7
**HTTPS:** Valid certificate, HTTP 302 -> HTTPS

#### WordPress Details
- WP-JSON API: Fully accessible
- Yoast SEO plugin detected
- Akismet plugin detected
- Contact Form 7 plugin detected

#### USER ENUMERATION -- EXPOSED
```
ID 4: "Jean Duke Dorcy" (slug: ducked)
ID 1: "oni" (slug: oni)
```
- Gravatar hashes exposed for both users
- Author archive pages accessible

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /readme.html | **200 OK** -- WP version fingerprint (requires PHP 8.3+, MySQL 8.0+) |
| /xmlrpc.php | 409 Conflict (blocked/disabled) |
| /wp-login.php | **200 OK** (login page accessible) |
| /.git/HEAD | 404 (clean) |
| /.env | 404 (clean) |
| /robots.txt | Empty (not configured) |
| /server-status | 403 Forbidden |
| /phpinfo.php | 404 |
| /wp-content/debug.log | 404 |
| /wp-content/uploads/ | 403 (directory listing disabled) |
| /wp-config.php.bak | 404 |

**Assessment:** User enumeration is the primary finding. xmlrpc.php is disabled. Modern PHP version.

---

### 3. omrh.gouv.ht (Office of HR Management) -- HIGH INTEREST
**Status:** LIVE
**Stack:** Microsoft IIS 10.0 / ASP.NET 4.0.30319 / ASP.NET WebPages 2.0 / PleskWin
**HTTPS:** Valid certificate, HTTP 301 -> HTTPS

#### PHYSICAL PATH DISCLOSED
IIS detailed error pages leak the full server filesystem path:
```
C:\Inetpub\vhosts\omrh2012-44165.package\omrh.gouv.ht\wwwroot\
```
This reveals:
- Plesk hosting package name: `omrh2012-44165.package`
- Windows Server 2022 (build 20348 from error page link)
- Standard Plesk vhost layout

#### web.config Probe
- `/web.config` returns **404.8 - Not Found** (hiddenSegment rule blocks it)
- RequestFilteringModule is active -- web.config is protected by IIS request filtering
- The hiddenSegments configuration is working correctly to block sensitive file access

#### Admin Login Panel
- `/Admin` and `/admin` -> **302 redirect to `/Login?ReturnUrl=%2fAdmin`**
- `/Login` -> **200 OK** -- Full admin login form exposed
  - Title: "Web Pages Administration"
  - Fields: User Name (Email), Password, Remember Me
  - jQuery 2.1.1, Bootstrap 3.2.0
  - No CAPTCHA, no 2FA visible
  - Standard ASP.NET WebPages authentication

#### IIS Error Code Analysis
| Path | Error | Meaning |
|------|-------|---------|
| /web.config | 404.8 | hiddenSegment rule blocks access |
| /App_Data/ | 404.8 | hiddenSegment rule blocks access |
| /bin/ | 404.8 | hiddenSegment rule blocks access |
| /packages.config | 404.7 | File extension blocked by request filtering |
| /Web.Debug.config | 404.7 | File extension blocked |
| /Web.Release.config | 404.7 | File extension blocked |
| /connectionstrings.config | 404.7 | File extension blocked |
| /.env | 404.0 | File not found (clean) |
| /.git/HEAD | 404.8 | hiddenSegment blocks dot-prefixed paths |

#### Other Probes
| Path | Result |
|------|--------|
| /elmah.axd | 404 Not Found |
| /trace.axd | 404 Not Found |
| /Content/ | **403 Forbidden** (directory exists but listing disabled) |
| /Scripts/ | **403 Forbidden** (directory exists but listing disabled) |
| /Account/Login | 404 |
| /Umbraco | 404 |
| /api/ | 404 |
| /robots.txt | Exists: `# WebMatrix 2.0` comment only |

#### robots.txt Content
```
# This file can be used to affect how search engines and other web site crawlers see your site.
# For more information, please see http://www.w3.org/TR/html4/appendix/notes.html#h-B.4.1.1
# WebMatrix 2.0
```
This confirms the site was originally built with **Microsoft WebMatrix 2.0**.

**Assessment:** IIS request filtering is properly configured and blocks sensitive files. However, detailed error pages are enabled (should be custom errors in production), leaking physical paths and server info. Admin login is exposed without 2FA. The /Content/ and /Scripts/ directories exist (403) confirming active ASP.NET MVC-style app. Unlike MICT, web.config is NOT directly downloadable here -- the hiddenSegment rule is working.

---

### 4. cscca.gouv.ht (Supreme Audit Institution)
**Status:** DOWN
- HTTPS: Connection failed
- HTTP: 302 redirect to `https://www.safebrowse.io/warn.html` -- domain appears to be parked/expired and intercepted by SafeBrowse DNS

---

### 5. ulcc.gouv.ht (Anti-Corruption Unit)
**Status:** LIVE
**Stack:** Apache / WordPress / Elementor 3.35.6 / Contact Form 7 / Really Simple Security / Wordfence / Burst Analytics
**HTTPS:** Valid certificate, HTTP 301 -> HTTPS (Really Simple Security plugin forces HTTPS)

#### WordPress Details
- Elementor Pro detected
- Wordfence WAF detected
- Spectra/UAG (Starter Templates) detected
- Really Simple Security plugin (handles HTTPS redirect)
- Contact Form 7

#### User Enumeration
- `/wp-json/wp/v2/users` -> **401 Unauthorized** ("Sorry, you are not allowed to list users")
- User enumeration is BLOCKED (likely by Wordfence)

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /readme.html | **200 OK** (WP version fingerprint available) |
| /xmlrpc.php | 409 Conflict (blocked) |
| /wp-login.php | 409 Conflict (blocked -- Really Simple Security) |
| /.git/HEAD | 404 (clean) |
| /.env | **406 Not Acceptable** (Mod_Security blocks it) |
| /robots.txt | Standard WP robots + wpo-plugins-tables-list.json disallow |
| /server-status | 200 but returns 403 content (cached error page) |
| /phpinfo.php | 409 Conflict |
| /wp-content/debug.log | 404 |
| /wp-config.php.bak | 406 (Mod_Security blocks) |
| /wp-sitemap.xml | Referenced in robots.txt |

#### robots.txt Content
```
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Sitemap: https://ulcc.gouv.ht/wp-sitemap.xml

User-agent: *
Disallow: /wp-content/uploads/wpo/wpo-plugins-tables-list.json
```

**Assessment:** Best-hardened WordPress site in this batch. Wordfence WAF + Mod_Security + Really Simple Security. User enumeration blocked. Login page blocked. Mod_Security blocks .env and backup file probes.

---

### 6. ucref.gouv.ht (Financial Intelligence Unit)
**Status:** DOWN / WAF-BLOCKED
- HTTPS: Returns 415 Unsupported Media Type
- HTTP: 301 -> HTTPS (which then 415s)
- With Accept header: Shows "One moment, please..." anti-bot challenge page
- Appears to be behind a challenge-based WAF that blocks curl/non-browser requests
- Server: Apache (when 415 is returned)

---

### 7. cnmp.gouv.ht (National Public Procurement Commission)
**Status:** LIVE
**Stack:** Apache / PHP / Laravel (XSRF-TOKEN + cnmp_session cookies confirm Laravel)
**HTTPS:** Valid certificate, HTTP 302 -> HTTPS

#### Framework: Laravel
- XSRF-TOKEN cookie pattern confirms Laravel
- 404 pages use Laravel's default error template (Tailwind CSS styled)
- Session cookie: `cnmp_session`

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /.git/HEAD | 404 (clean, Laravel 404 page) |
| /.env | 404 (clean, Laravel 404 page) |
| /web.config | 404 |
| /robots.txt | `User-agent: * / Disallow:` (allows all) |
| /server-status | 404 |
| /phpinfo.php | 404 |
| /storage/ | **301 redirect** to /storage (path exists!) |
| /storage/logs/ | **301 redirect** to /storage/logs (path exists!) |
| /login | 404 |
| /admin | 404 |
| /telescope | 404 |
| /horizon | 404 |

**Note:** /storage/ and /storage/logs/ return 301 redirects rather than 404s, meaning these directories exist in the web root. However, the actual content appears to return Laravel 404 pages after redirect, suggesting proper routing is in place.

**Assessment:** Reasonably configured. Laravel debug mode appears to be off (no stack traces in 404s). No admin panel found. Storage directory paths exist but content is not exposed.

---

### 8. ofatma.gouv.ht (Work Accident Insurance Office)
**Status:** LIVE (but appears to be a static/stale site)
**Stack:** nginx 1.28.0 / Static HTML
**HTTPS:** Valid certificate, HTTP returns 403
**Last Modified:** 2023-06-16 (nearly 3 years old)

#### Site Analysis
- Serves static HTML (22,629 bytes)
- No CMS generator tag detected
- No PHP, no framework detected
- Title: "OFATMA -"
- Content has not been modified since June 2023

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /.git/HEAD | 404 |
| /.env | 404 |
| /web.config | 404 |
| /robots.txt | `Sitemap: http://ofatma.gouv.ht/sitemap.xml` (HTTP, not HTTPS) |
| /server-status | 404 |
| /phpinfo.php | 404 |
| /admin | 404 |
| /wp-login.php | 404 |

**Assessment:** Appears abandoned -- static HTML site last updated June 2023. Minimal attack surface.

---

### 9. faes.gouv.ht (Economic and Social Assistance Fund)
**Status:** LIVE
**Stack:** Apache / WordPress 6.9.1 / Elementor 3.25.10 / Bluehost Shared Hosting
**HTTPS:** Valid certificate, HTTP 301 -> HTTPS
**Hosting:** Bluehost shared hosting (`host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==` = `shared.bluehost.com`)

#### WordPress Details
- WordPress 6.9.1
- Elementor 3.25.10
- **Duplicator backup plugin installed** (API endpoint exists at `/wp-json/duplicator/v1`)
- Jetpack plugin (with Boost, Blaze)
- Forminator plugin
- HappyAddons
- MailChimp for WP (mc4wp)
- Hub Connector
- Image Optimizer

#### USER ENUMERATION -- EXPOSED
```
ID 1: "admin" (slug: admin)
```
- Default "admin" username still in use
- Gravatar hash: 7792ae8164bc2b2e1bb99f1e189ba54928cee4392a7590627377a2ba82c34517

#### Duplicator Plugin
- `/wp-json/duplicator/v1` -> **200 OK** (API routes exposed)
- `/wp-json/duplicator/v1/versions` -> 403 Forbidden (auth required)
- `/wp-content/backups-dup-lite/` -> 404
- `/wp-content/backups-dup-pro/` -> 404
- No backup archives found in default locations

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /readme.html | **200 OK** (WP version fingerprint) |
| /xmlrpc.php | 409 Conflict (blocked) |
| /wp-login.php | 409 Conflict (blocked) |
| /.git/HEAD | 404 (clean) |
| /.env | **406 Not Acceptable** (Mod_Security) |
| /robots.txt | Standard WP robots + sitemap |
| /server-status | 404 |
| /phpinfo.php | 409 Conflict |
| /wp-content/debug.log | 404 |
| /wp-config.php.bak | 406 (Mod_Security) |

#### robots.txt Content
```
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Sitemap: https://faes.gouv.ht/wp-sitemap.xml
```

**Assessment:** Default "admin" username is a significant risk. Duplicator plugin installed (potential backup exposure if misconfigured). Mod_Security provides some protection. Hosted on Bluehost shared hosting.

---

### 10. oavct.gouv.ht (Vehicle Insurance/Registration)
**Status:** LIVE
**Stack:** PHP 8.3.19 / WordPress 6.9.1 / Cloudflare / LiteSpeed / Hostinger
**HTTPS:** Valid certificate (Cloudflare), HTTP 301 -> HTTPS

#### WordPress Details
- WordPress 6.9.1
- Elementor 3.35.5
- Contact Form 7
- Image Optimizer
- Cloudflare Edge Cache enabled
- LiteSpeed web server behind Cloudflare
- Hostinger hosting platform

#### USER ENUMERATION -- EXPOSED
```
ID 1: "dtheranus" (slug: dtheranus)
ID 2: "FameThemes" (slug: famedemo, description: "This user is created while installing demo content. You should delete or modify this user's information now.")
```
- The "famedemo" demo user still exists and has NOT been removed as recommended
- Gravatar hashes exposed for both users

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /readme.html | **200 OK** (WP version fingerprint) |
| /xmlrpc.php | **405 Method Not Allowed** (responds to POST only -- still active!) |
| /wp-login.php | **200 OK** (login page accessible with cookie test) |
| /.git/HEAD | **403 Forbidden** (Cloudflare blocks) |
| /.env | 404 (clean) |
| /robots.txt | Cloudflare Content-Signal robots (see below) |
| /server-status | 404 |
| /phpinfo.php | 404 |
| /wp-content/debug.log | **403 Forbidden** (file may exist but blocked) |
| /wp-content/uploads/ | 403 (listing disabled) |
| /wp-config.php.bak | 403 (Cloudflare blocks) |

#### robots.txt Content (Cloudflare-managed)
```
User-agent: *
Content-Signal: search=yes,ai-train=no
Allow: /
```
Cloudflare's Content-Signal directives are in use.

**Assessment:** Demo user "famedemo" still exists. xmlrpc.php is still active (POST method allowed). Login page exposed. Cloudflare provides some WAF protection (403s on sensitive paths).

---

### 11. ihsi.gouv.ht (Haitian Institute of Statistics)
**Status:** DOWN / WAF-BLOCKED
- Both HTTP and HTTPS return 415 Unsupported Media Type
- Server: openresty/1.27.1.1
- With Accept header: Shows "One moment, please..." anti-bot challenge page
- Same WAF/challenge behavior as ucref.gouv.ht

---

### 12. bhda.gouv.ht (Office for Development of Artibonite Valley)
**Status:** DOWN
- HTTPS: Connection failed (even with -k cert skip)
- HTTP: 301 -> HTTPS (but HTTPS is unreachable)
- Server: Apache (from HTTP response)
- SSL/TLS is broken or server is only partially online

---

### 13. bmpad.gouv.ht (Bureau of Monetization)
**Status:** DOWN
- HTTPS: Connection failed
- HTTP: 302 redirect to `https://www.safebrowse.io/warn.html` -- domain parked/expired
- Same SafeBrowse interception as cscca.gouv.ht

---

### 14. ciat.gouv.ht (Land Committee - CIAT)
**Status:** LIVE
**Stack:** Apache / WordPress 6.9.1 / Divi Theme (Child v1.0) / WP-RSS Aggregator / Contact Form 7
**HTTPS:** Valid certificate (though initial HEAD returns 415, GET works)

#### WordPress Details
- WordPress 6.9.1
- Divi theme (Child v1.0) by Elegant Themes
- WP-RSS Aggregator v1.4.33 (for news feed aggregation)
- Contact Form 7 v6.1.3
- jQuery UI included

#### USER ENUMERATION -- EXPOSED
```
ID 1: "ciat_admin" (slug: ciat_admin)
```
- Gravatar hash: 00a9afd5e49ae62f76b4d92b729880d536c992c6e884b1740667d6615fcc0a2d

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /readme.html | 404 (removed -- good) |
| /xmlrpc.php | 404 (removed or blocked) |
| /wp-login.php | 302 redirect loop to itself (unusual) |
| /.git/HEAD | 404 (clean) |
| /.env | 404 (clean) |
| /robots.txt | Standard WP robots + sitemap |
| /server-status | 404 |
| /phpinfo.php | 404 |
| /wp-content/debug.log | 404 |
| /wp-config.php.bak | 404 |
| /wp-content/uploads/ | 404 |

#### robots.txt Content
```
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Sitemap: https://ciat.gouv.ht/wp-sitemap.xml
```

**Assessment:** User enumeration exposed but otherwise reasonably hardened. readme.html and xmlrpc.php removed. wp-login.php has redirect loop (may be behind a security plugin).

---

### 15. infp.gouv.ht (Professional Training Institute)
**Status:** LIVE
**Stack:** Apache / PHP / Laravel (Livewire) / Bluehost Shared Hosting
**HTTPS:** Valid certificate, HTTP 301 -> HTTPS
**Hosting:** Bluehost shared hosting (`shared.bluehost.com`)

#### Framework: Laravel with Livewire
- XSRF-TOKEN cookie pattern confirms Laravel
- Session cookie: `infp_session`
- Livewire frontend framework detected (wire: attributes in HTML)
- Login page uses Livewire components for auth

#### Admin Panel
- `/login` -> **200 OK** -- Login form (email + password)
  - Title: "Se connecter - INFP"
  - Livewire-powered auth component
  - No CAPTCHA visible, no 2FA visible
- `/admin` -> **302 redirect to /login** (admin requires auth)

#### Sensitive File Checks
| Path | Result |
|------|--------|
| /.git/HEAD | 404 (clean, Laravel page) |
| /.env | **406 Not Acceptable** (Mod_Security blocks) |
| /web.config | **406 Not Acceptable** (Mod_Security blocks) |
| /robots.txt | `User-agent: * / Disallow: /admin` |
| /server-status | 403 Forbidden |
| /phpinfo.php | 409 Conflict |
| /storage/ | **403 Forbidden** (directory exists!) |
| /register | 404 (registration disabled) |
| /api | 404 |
| /telescope | 404 |

**Assessment:** Laravel + Livewire stack with Mod_Security. Login exposed without visible CAPTCHA/2FA. /storage/ directory exists (403). Hosted on shared Bluehost.

---

## SUMMARY TABLE

| # | Domain | Status | Stack | CMS | Users Exposed | Admin Exposed | Notable |
|---|--------|--------|-------|-----|---------------|---------------|---------|
| 1 | budget.gouv.ht | LIVE | Apache/PHP 7.4 | October CMS | N/A | YES (/backend) | PHP 7.4 EOL |
| 2 | oni.gouv.ht | LIVE | PHP 8.4 | WordPress | YES (2) | wp-login 200 | Jean Duke Dorcy, oni |
| 3 | omrh.gouv.ht | LIVE | IIS 10/ASP.NET | WebMatrix/WebPages | N/A | YES (/Login) | Physical path leaked, Plesk |
| 4 | cscca.gouv.ht | DOWN | - | - | - | - | SafeBrowse redirect |
| 5 | ulcc.gouv.ht | LIVE | Apache | WordPress | BLOCKED | BLOCKED | Best hardened (Wordfence) |
| 6 | ucref.gouv.ht | BLOCKED | Apache | Unknown | - | - | Anti-bot challenge |
| 7 | cnmp.gouv.ht | LIVE | Apache/PHP | Laravel | N/A | None found | Clean config |
| 8 | ofatma.gouv.ht | LIVE | nginx 1.28 | Static HTML | N/A | None | Stale since Jun 2023 |
| 9 | faes.gouv.ht | LIVE | Apache | WordPress 6.9.1 | YES (1) | wp-login blocked | "admin" user, Duplicator |
| 10 | oavct.gouv.ht | LIVE | LiteSpeed/CF | WordPress 6.9.1 | YES (2) | wp-login 200 | Demo user, xmlrpc active |
| 11 | ihsi.gouv.ht | BLOCKED | openresty | Unknown | - | - | Anti-bot challenge |
| 12 | bhda.gouv.ht | DOWN | Apache | Unknown | - | - | SSL broken |
| 13 | bmpad.gouv.ht | DOWN | - | - | - | - | SafeBrowse redirect |
| 14 | ciat.gouv.ht | LIVE | Apache | WordPress 6.9.1 | YES (1) | Login redirect loop | Divi theme, ciat_admin |
| 15 | infp.gouv.ht | LIVE | Apache | Laravel/Livewire | N/A | YES (/login) | Bluehost shared |

---

## WORDPRESS USER ENUMERATION SUMMARY

| Site | User ID | Display Name | Slug (Login) | Gravatar Hash |
|------|---------|-------------|--------------|---------------|
| oni.gouv.ht | 1 | oni | oni | 209b9c810fbf20d585adadc70d6711d0dda4ed0d56629dd515f3daa94aff915a |
| oni.gouv.ht | 4 | Jean Duke Dorcy | ducked | 0a716746ac84cc7d4c16842b075138ba1974b5535c2c1892fa984f9305368372 |
| faes.gouv.ht | 1 | admin | admin | 7792ae8164bc2b2e1bb99f1e189ba54928cee4392a7590627377a2ba82c34517 |
| oavct.gouv.ht | 1 | dtheranus | dtheranus | 557b1cac82741ac43ecba112b65ad0a2cef69069bdbd99f7d7560162a127deda |
| oavct.gouv.ht | 2 | FameThemes | famedemo | c2c273c5028d645b37ea6b75e089b20fcfbcb940bff39ce353b8ab24164b6344 |
| ciat.gouv.ht | 1 | ciat_admin | ciat_admin | 00a9afd5e49ae62f76b4d92b729880d536c992c6e884b1740667d6615fcc0a2d |

---

## HOSTING INFRASTRUCTURE MAP

| Domain | Hosting Provider | Server Software | Notes |
|--------|-----------------|-----------------|-------|
| budget.gouv.ht | Unknown | Apache | Direct hosting |
| oni.gouv.ht | Unknown (CDN proxy) | Unknown origin | Request ID tracking |
| omrh.gouv.ht | Plesk (PleskWin) | IIS 10.0 | Windows Server 2022 |
| ulcc.gouv.ht | Bluehost/EIG | Apache + nginx reverse proxy | Shared hosting |
| cnmp.gouv.ht | Unknown | Apache | Direct hosting |
| ofatma.gouv.ht | Unknown | nginx 1.28.0 | Static site |
| faes.gouv.ht | Bluehost | Apache + nginx 1.25.5 | Shared hosting |
| oavct.gouv.ht | Hostinger | LiteSpeed + Cloudflare | hpanel |
| ciat.gouv.ht | Unknown | Apache | Direct hosting |
| infp.gouv.ht | Bluehost | Apache | Shared hosting |

---

## OMRH.GOUV.HT DETAILED ANALYSIS (IIS/ASP.NET Target)

### Stack Confirmation
- **Web Server:** Microsoft IIS 10.0
- **Framework:** ASP.NET 4.0.30319, ASP.NET WebPages 2.0
- **OS:** Windows Server 2022 (build 20348)
- **Hosting Panel:** Plesk for Windows (PleskWin)
- **Original Tool:** Microsoft WebMatrix 2.0

### Physical Path Disclosure
Every error page leaks the full filesystem path:
```
C:\Inetpub\vhosts\omrh2012-44165.package\omrh.gouv.ht\wwwroot\
```

### Request Filtering Analysis
IIS Request Filtering is configured with:
- **hiddenSegments:** Blocks access to web.config, App_Data, bin, .git
- **File extension filtering:** Blocks .config files (404.7)
- **Result:** web.config is NOT directly downloadable (unlike MICT)

### Comparison to MICT (where MySQL creds were found)
| Feature | MICT | OMRH |
|---------|------|------|
| Server | IIS/PleskWin | IIS/PleskWin |
| web.config access | EXPOSED | BLOCKED (404.8) |
| Physical path leak | Yes | Yes |
| Admin panel | Unknown | /Login (exposed) |
| Error verbosity | Detailed | Detailed |

**Key difference:** OMRH has hiddenSegment rules that MICT apparently lacked. web.config cannot be downloaded directly. However, both sites share the same PleskWin infrastructure pattern, suggesting they may be on the same or similar hosting provider.

---

## PLUGIN/TECHNOLOGY INVENTORY

### WordPress Plugin Detection (via WP-JSON namespaces)

| Plugin | ONI | ULCC | FAES | OAVCT | CIAT |
|--------|-----|------|------|-------|------|
| Elementor | - | Pro | Yes | Yes | - |
| Yoast SEO | Yes | - | - | - | - |
| Akismet | Yes | - | - | - | - |
| Contact Form 7 | Yes | Yes | - | Yes | Yes |
| Wordfence | - | Yes | - | - | - |
| Jetpack | - | - | Yes | - | - |
| Duplicator | - | - | Yes | - | - |
| Divi | - | - | - | - | Yes |
| Burst Analytics | - | Yes | - | - | - |
| WP-RSS Aggregator | - | - | - | - | Yes |
| Really Simple Security | - | Yes | - | - | - |
| Forminator | - | - | Yes | - | - |
| Image Optimizer | - | - | Yes | Yes | - |
| Spectra/UAG | - | Yes | - | - | - |

---

## RECOMMENDATIONS FOR FURTHER INVESTIGATION

1. **OMRH /Login brute force potential:** Admin login has no visible rate limiting or CAPTCHA. Could be tested with common credential lists (authorized engagement only).

2. **FAES Duplicator plugin:** Check for installer files at `/installer.php`, `/dup-installer/`, etc. Duplicator has had critical vulnerabilities (CVE-2020-11738, CVE-2022-2552).

3. **OAVCT xmlrpc.php:** Still responds to POST -- could be used for brute force amplification or pingback attacks.

4. **Gravatar hash reversal:** The exposed Gravatar hashes can be reversed to email addresses using rainbow table services.

5. **OMRH same-host investigation:** If OMRH shares the PleskWin host with MICT, there may be cross-site vulnerabilities or shared credentials.

6. **ofatma.gouv.ht sitemap.xml:** References HTTP (not HTTPS) sitemap -- may reveal additional endpoints.

7. **ucref.gouv.ht and ihsi.gouv.ht:** Both behind anti-bot WAF -- may be accessible via browser or with proper cookie/challenge handling.