# MICT — Ministry of Interior & Territorial Collectivities **Sector:** Government — Interior / Security **Date:** 2026-03-04 **Priority:** HIGH --- ## Domains | Domain | Status | Notes | |--------|--------|-------| | `mict.gouv.ht` | PARTIALLY UP | PHP broken (500), static files serve, directory listing ON | --- ## Exposed Credentials ### web.config (IIS/ASP.NET config file — publicly accessible) **URL:** `https://mict.gouv.ht/web.config` **HTTP Status:** 200 OK ```xml ``` | Field | Value | |-------|-------| | **MySQL Server** | `localhost` | | **Database** | `immigr31_wordpress300` | | **Username** | `immigr31_admict` | | **Password** | `admictpassweb` | | **cPanel User** | `immigr31` (derived from DB prefix + server path) | --- ## Tech Stack ### Server / Hosting | Component | Detail | |-----------|--------| | **Web Server** | Apache (cPanel shared hosting) | | **OS** | Linux (shared hosting) | | **Hosting Panel** | cPanel (accessible at `:2083`, HTTP 200) | | **Webmail** | cPanel webmail at `:2096` (HTTP 200) | | **Server Path** | `/home/immigr31/public_html/` | | **PHP Version** | Ancient (pre-7.0) — `$HTTP_RAW_POST_DATA` deprecated warnings | ### CMS / Framework | Component | Detail | |-----------|--------| | **CMS** | WordPress | | **Database** | MySQL (`immigr31_wordpress300`) | | **Status** | PHP execution broken (all .php pages return 500) | | **Static files** | Still serving (images, CSS, JS, XML, config files) | ### WordPress Plugins Detected - WPBakery Page Builder / Visual Composer (js_composer uploads directory exists) - Standard WordPress core (wp-includes directory listing accessible) --- ## Directory Listing Exposure Directory listing is **ENABLED** across the entire WordPress installation: | Path | Status | Content | |------|--------|---------| | `/wp-content/` | 200 | Empty listing | | `/wp-content/plugins/` | 200 | Empty listing | | `/wp-content/themes/` | 200 | Empty listing | | `/wp-content/uploads/` | 200 | Year directories 2013-2025 | | `/wp-includes/` | 200 | Full WordPress core file listing | ### Upload Directories with Content | Year/Month | Size | Content Type | |------------|------|--------------| | 2013/06 | 255KB index | Large — likely many files | | 2016/03-04 | 10-10KB | Images | | 2018/03-06, 10-11 | 1-83KB | Images + possibly documents | | 2019/01-02, 06, 08, 12 | 1-15KB | Images | | 2020/05-09 | 25-127KB | Images + possibly documents | | 2021/04-05 | 17-96KB | Images | | 2024/08-09, 11 | 1-34KB | Images + PDFs | | 2025/01, 03, 05, 07, 09-10 | 2-46KB | Images + DOCX recruitment docs | --- ## Downloaded Files ### Documents | File | Year/Month | Type | Size | Description | |------|-----------|------|------|-------------| | MDUR_PGES-DES-SEIZE-RUES_-Aout-2024.pdf | 2024/09 | PDF | 3.6M | Environmental assessment — 16 streets project | | MDUR_PGES-DES-SEIZE-RUES_-Aout-2024-1.pdf | 2024/09 | PDF | 3.6M | Same document (duplicate) | | DG-Avis-de-recrutement-internes.docx | 2025/01 | DOCX | 24K | Internal recruitment notice — DG | | Publication-Recrutement-avis.docx | 2025/01 | DOCX | 20K | Public recruitment notice | ### Images (selected originals, 35+ files) - 2024/08: Government event photos, WhatsApp-shared images, official photos - 2024/11: Numbered photos (1-4) — event documentation - 2025/01: Recruitment flyer images - 2025/03: DIE (Direction de l'Immigration et de l'Émigration) documents, event photos dated 2025-03-10 --- ## Error Logs Exposed ### `/error_log` (173KB) - **Date range:** July 26, 2020 (only date in log) - **Content:** Hundreds of `PHP Deprecated: $HTTP_RAW_POST_DATA` warnings - **Intelligence:** Confirms ancient PHP version, site was active in 2020 ### `/wp-includes/error_log` (152 bytes) - `PHP Fatal error: Call to undefined function _deprecated_file()` in `/home/immigr31/public_html/wp-includes/rss.php` - **Intelligence:** Confirms cPanel path `/home/immigr31/public_html/` --- ## Other Exposed Endpoints | Endpoint | Status | Notes | |----------|--------|-------| | `/.well-known/` | 200 | AutoConfig/AutoDiscover XML for email setup | | `/readme.html` | 200 | WordPress readme (version fingerprinting) | | `/license.txt` | 200 | WordPress GPL license | | `/wp-login.php` | 0 bytes | Broken (PHP 500) | | `/wp-json/` | 500 | API broken (PHP execution failed) | | `/xmlrpc.php` | 500 | Broken | | Port 2082 | 200 | cPanel HTTP login | | Port 2083 | 200 | cPanel HTTPS login | | Port 2096 | 200 | Webmail login | --- ## Intelligence Summary 1. **CRITICAL: MySQL credentials exposed** via web.config — Ministry of Interior database 2. **cPanel shared hosting** — username `immigr31` suggests "immigration" account (MICT manages immigration in Haiti) 3. **WordPress completely broken** — PHP execution fails, but all static assets remain accessible 4. **Directory listing globally enabled** — full enumeration of uploads, plugins, themes, and core files 5. **Ancient PHP** — running pre-7.0 PHP version (deprecated since Dec 2018) 6. **Server path leaked** — `/home/immigr31/public_html/` via error logs 7. **DIE (Immigration Directorate) content** — uploads from March 2025 reference Direction de l'Immigration et de l'Émigration, confirming this hosts immigration-related content 8. **Active as recently as March 2025** — uploads continue despite broken PHP --- ## TODO - [x] Download web.config - [x] Enumerate upload directories (2013-2025) - [x] Download documents (PDFs, DOCXs) from 2024-2025 - [ ] Download documents from older years (2013-2021) — agent running - [ ] Check for additional config files (.htaccess, php.ini) - [ ] Check Wayback Machine for historical snapshots when PHP was working - [ ] Check if `immigr31` cPanel account hosts other domains