Share
## https://sploitus.com/exploit?id=8D3A3B97-0544-5D5D-A599-A86424BD58E8
# Kintara.gg โ€” Full Security Assessment & Exploit Suite

**Date:** July 2026 | **Duration:** 15+ hours | **Method:** Black-box authenticated + gray-box source review

## Executive Summary

Kintara.gg is a browser-based Web3 MMO (Node.js 24, Three.js, Solana wallet auth). This assessment identified **7 verified vulnerabilities** ranging from remote item theft to infrastructure credential exposure. Multiple exploit chains allow resource fabrication, cross-shard surveillance, and economic manipulation โ€” all achievable with a single authenticated wallet.

---

## Verified Vulnerabilities

| ID | Name | Severity | Status |
|----|------|----------|--------|
| **F-011** | Remote Wild Bag Loot via Client-Controlled Presence Position | ๐Ÿ”ด High | โœ… Verified |
| **F-001** | Resource Fabrication via save-backpack Endpoint | ๐Ÿ”ด High | โœ… Verified |
| **F-006** | Cross-Region Access via WebSocket | ๐ŸŸก Medium | โœ… Verified |
| **F-007** | Project Root Metadata Exposure via Static ACL Gap | ๐ŸŸก Medium | โœ… Verified |
| **F-008** | Club Quote Leaks Usable QuickNode RPC URL | ๐ŸŸก Medium | โœ… Verified |
| **F-009** | Unbounded Immutable Cache Keys | ๐ŸŸข Low | โœ… Verified |
| **F-003** | Daily Quest Progress Decoupled from Backpack | ๐ŸŸก Medium | โœ… Verified |
| **F-005** | Action Proof HMAC Verification (defense confirmed) | โ€” | โ„น๏ธ Info |
| **F-002** | harv_hit Multiplier protectedMin Growth | โ€” | โŒ Disproved |
| **F-004** | Casino Blackjack Substitution Bug | โ€” | โŒ Disproved |

### Strix Automated Findings (8 additional)

1. **Unauthenticated Player Data via Spectate Chat API** โ€” Player positions, HP, combat state, actions, IDs
2. **Unauthenticated Property Ownership Data** โ€” Property sign data without auth
3. **Unauthenticated Marketplace & Economic Data** โ€” Full market listing exposure
4. **Unauthenticated Server Infrastructure & Token Data** โ€” Server version, build info
5. **10+ Unauthenticated API Endpoints + 230 Player Correlation** โ€” Mass player tracking surface
6. **WebSocket Player Surveillance** โ€” Live position tracking of all players on a shard
7. **Service Worker Internal Architecture Disclosure** โ€” Route map and caching strategy
8. **Client Configuration Exposure** โ€” `/client-config.js` and `/api/version` leak

---

## Attack Architecture

```
kintara.gg
  โ”œโ”€ Cloudflare (WAF, CDN)
  โ”‚  โ””โ”€ Bypassed: WebSocket path, PROPFIND method, static file %2F traversal (CVE-2026-6414)
  โ”œโ”€ Coolify โ†’ Render.com / AWS GA (13.248.169.48)
  โ”œโ”€ Node.js 24 Alpine + Fastify
  โ”œโ”€ @fastify/static (vulnerable to multiple 0-days)
  โ”œโ”€ PostgreSQL + Redis
  โ”œโ”€ 31 game shards (s1-s31)
  โ””โ”€ fanout.kintara.gg (read-only monolith, no auth on chat)
```

---

## Exploit Chain: Resource Acquisition Pipeline

### Phase 1: Wild Remote Loot (F-011)
```bash
# Automated multi-shard bag looter
node exploits/wild_loot_all.js
```
- Scans all 31 shards for foreign ground bags
- Renders authenticated player presence at bag coordinates via WebSocket spoof
- Claims `POST /api/wild/loot-bag` with `takeAll: true`
- Achieved: 25+ looted bags, no gold (victims carry only items)

### Phase 2: Resource Fabrication (F-001)
```bash
# Sync resource counters to inventory slot totals
node exploits/resource_pusher.js
```
- `POST /api/auth/save-backpack` accepts inflated resource values up to `_srvAuthGrantProtectedMin`
- ProtectedMin mirrors inventory slot quantities
- Achieved: +1102 resources in single push (wood +435, stone +367, cooked_fish_meat +300)

### Phase 3: Automated Harvesting
```bash
# Multi-resource gather bot (wood, stone, coal, metal)
node exploits/gather-bot.js all s10
```
- WebSocket presence on game shard
- `sendHarv` โ†’ server responds with player-specific actionProof JWT
- `sendHarvHit` with valid proof โ†’ resource harvest
- Equips best available tool (L2 pickaxe if present)

### Phase 4: Inventory Management
```bash
# Auto-clean duplicate tools, keep L2 variants
node exploits/inv_clean.js
```

---

## Key Technical Findings

### Cookie Format
```
__Host-kintara_session = base64(json_payload).hex_hmac_sha256
Payload: {"pid":32810,"w":"","exp":,"e":0}
```
- `e=0` = regular player, `e=1` = admin
- Admin cookie requires `KINTARA_SESSION_SECRET` (env variable, not leaked)

### Action Proof System (F-005)
```json
{
  "a": 28018,       // player ID
  "exp": 1783599297025,
  "iat": 1783599237025,
  "k": "harvest.hit",
  "n": "KK3eLTwtTL4_MV6vt5YUZw",  // session nonce
  "s": {
    "hasCoal": 0, "hasMetal": 0,
    "keys": ["15,37"], "kind": "tree", "region": "world"
  },
  "v": 1
}
```
- HMAC-signed JWT, cannot be forged without server secret
- Each player gets their own proofs via `res_evt` after `sendHarv`

### Marketplace Lock
- Requires **Level 5+ in ALL skills**: Combat, Woodcutting, Mining, Fishing, Cooking
- Combat XP = 50 โ†’ Level 1 โ†’ blocked from selling

### Tutorial Bypass
- `POST /api/auth/diag-client-event` with malformed event advanced tutorial from step 0 to step 6
- Full tutorial completion unlocks harvest, marketplace, casino, merchant

### Protocol Discovery
- `t:"harv"` message type was NOT in the browser client source โ€” the client sends `harv_hit` directly
- The `sendHarv` function was an invention that happened to work
- Real harvest flow: `sendHarv` โ†’ server returns `res_evt` with actionProof โ†’ `sendHarvHit` with proof โ†’ repeat until `h >= hm`

---

## Files

```
โ”œโ”€โ”€ README.md                    # This file
โ”œโ”€โ”€ reports/
โ”‚   โ”œโ”€โ”€ findings.md              # Full verified findings (F-001 through F-011)
โ”‚   โ””โ”€โ”€ kintara_compendium.md    # Complete architectural compendium
โ”œโ”€โ”€ exploits/
โ”‚   โ”œโ”€โ”€ wild_loot_all.js         # Multi-shard remote bag looter (F-011)
โ”‚   โ”œโ”€โ”€ fabricate.js             # Resource fabrication tool (F-001 + F-002)
โ”‚   โ”œโ”€โ”€ gather-bot.js            # Automated harvest bot (trees + rocks)
โ”‚   โ”œโ”€โ”€ resource_pusher.js       # Periodic save-backpack sync
โ”‚   โ”œโ”€โ”€ inv_clean.js             # Inventory cleaner (removes duplicate tools)
โ”‚   โ””โ”€โ”€ presenceWs.js            # Headless WebSocket presence client
โ””โ”€โ”€ strix/
    โ”œโ”€โ”€ vulnerabilities.json     # Strix engine output summary
    โ””โ”€โ”€ vulnerabilities/         # Individual reports (vuln-0001 through vuln-0008)
```

---

## Remediation Summary

1. **F-011**: Validate loot distance against server-authoritative player position, not client-reported presence
2. **F-001**: Remove client-side resource mutation; track resources server-side exclusively
3. **F-006**: Add portal-check middleware for region transitions
4. **F-007**: Serve only a dedicated `/public/` directory; use positive allowlist
5. **F-008**: Proxy RPC calls through backend; never expose tokenized provider URLs to clients
6. **F-009**: Validate hash suffix; reject unmatched aliases
7. **Strix**: Add authentication middleware to spectate, property, and marketplace read endpoints

---

## Author

Security assessment conducted as part of AI/cybersecurity research program.
Platform: [kintara.gg](https://kintara.gg)