Share
## https://sploitus.com/exploit?id=8D3A3B97-0544-5D5D-A599-A86424BD58E8
# Kintara.gg โ Full Security Assessment & Exploit Suite
**Date:** July 2026 | **Duration:** 15+ hours | **Method:** Black-box authenticated + gray-box source review
## Executive Summary
Kintara.gg is a browser-based Web3 MMO (Node.js 24, Three.js, Solana wallet auth). This assessment identified **7 verified vulnerabilities** ranging from remote item theft to infrastructure credential exposure. Multiple exploit chains allow resource fabrication, cross-shard surveillance, and economic manipulation โ all achievable with a single authenticated wallet.
---
## Verified Vulnerabilities
| ID | Name | Severity | Status |
|----|------|----------|--------|
| **F-011** | Remote Wild Bag Loot via Client-Controlled Presence Position | ๐ด High | โ
Verified |
| **F-001** | Resource Fabrication via save-backpack Endpoint | ๐ด High | โ
Verified |
| **F-006** | Cross-Region Access via WebSocket | ๐ก Medium | โ
Verified |
| **F-007** | Project Root Metadata Exposure via Static ACL Gap | ๐ก Medium | โ
Verified |
| **F-008** | Club Quote Leaks Usable QuickNode RPC URL | ๐ก Medium | โ
Verified |
| **F-009** | Unbounded Immutable Cache Keys | ๐ข Low | โ
Verified |
| **F-003** | Daily Quest Progress Decoupled from Backpack | ๐ก Medium | โ
Verified |
| **F-005** | Action Proof HMAC Verification (defense confirmed) | โ | โน๏ธ Info |
| **F-002** | harv_hit Multiplier protectedMin Growth | โ | โ Disproved |
| **F-004** | Casino Blackjack Substitution Bug | โ | โ Disproved |
### Strix Automated Findings (8 additional)
1. **Unauthenticated Player Data via Spectate Chat API** โ Player positions, HP, combat state, actions, IDs
2. **Unauthenticated Property Ownership Data** โ Property sign data without auth
3. **Unauthenticated Marketplace & Economic Data** โ Full market listing exposure
4. **Unauthenticated Server Infrastructure & Token Data** โ Server version, build info
5. **10+ Unauthenticated API Endpoints + 230 Player Correlation** โ Mass player tracking surface
6. **WebSocket Player Surveillance** โ Live position tracking of all players on a shard
7. **Service Worker Internal Architecture Disclosure** โ Route map and caching strategy
8. **Client Configuration Exposure** โ `/client-config.js` and `/api/version` leak
---
## Attack Architecture
```
kintara.gg
โโ Cloudflare (WAF, CDN)
โ โโ Bypassed: WebSocket path, PROPFIND method, static file %2F traversal (CVE-2026-6414)
โโ Coolify โ Render.com / AWS GA (13.248.169.48)
โโ Node.js 24 Alpine + Fastify
โโ @fastify/static (vulnerable to multiple 0-days)
โโ PostgreSQL + Redis
โโ 31 game shards (s1-s31)
โโ fanout.kintara.gg (read-only monolith, no auth on chat)
```
---
## Exploit Chain: Resource Acquisition Pipeline
### Phase 1: Wild Remote Loot (F-011)
```bash
# Automated multi-shard bag looter
node exploits/wild_loot_all.js
```
- Scans all 31 shards for foreign ground bags
- Renders authenticated player presence at bag coordinates via WebSocket spoof
- Claims `POST /api/wild/loot-bag` with `takeAll: true`
- Achieved: 25+ looted bags, no gold (victims carry only items)
### Phase 2: Resource Fabrication (F-001)
```bash
# Sync resource counters to inventory slot totals
node exploits/resource_pusher.js
```
- `POST /api/auth/save-backpack` accepts inflated resource values up to `_srvAuthGrantProtectedMin`
- ProtectedMin mirrors inventory slot quantities
- Achieved: +1102 resources in single push (wood +435, stone +367, cooked_fish_meat +300)
### Phase 3: Automated Harvesting
```bash
# Multi-resource gather bot (wood, stone, coal, metal)
node exploits/gather-bot.js all s10
```
- WebSocket presence on game shard
- `sendHarv` โ server responds with player-specific actionProof JWT
- `sendHarvHit` with valid proof โ resource harvest
- Equips best available tool (L2 pickaxe if present)
### Phase 4: Inventory Management
```bash
# Auto-clean duplicate tools, keep L2 variants
node exploits/inv_clean.js
```
---
## Key Technical Findings
### Cookie Format
```
__Host-kintara_session = base64(json_payload).hex_hmac_sha256
Payload: {"pid":32810,"w":"","exp":,"e":0}
```
- `e=0` = regular player, `e=1` = admin
- Admin cookie requires `KINTARA_SESSION_SECRET` (env variable, not leaked)
### Action Proof System (F-005)
```json
{
"a": 28018, // player ID
"exp": 1783599297025,
"iat": 1783599237025,
"k": "harvest.hit",
"n": "KK3eLTwtTL4_MV6vt5YUZw", // session nonce
"s": {
"hasCoal": 0, "hasMetal": 0,
"keys": ["15,37"], "kind": "tree", "region": "world"
},
"v": 1
}
```
- HMAC-signed JWT, cannot be forged without server secret
- Each player gets their own proofs via `res_evt` after `sendHarv`
### Marketplace Lock
- Requires **Level 5+ in ALL skills**: Combat, Woodcutting, Mining, Fishing, Cooking
- Combat XP = 50 โ Level 1 โ blocked from selling
### Tutorial Bypass
- `POST /api/auth/diag-client-event` with malformed event advanced tutorial from step 0 to step 6
- Full tutorial completion unlocks harvest, marketplace, casino, merchant
### Protocol Discovery
- `t:"harv"` message type was NOT in the browser client source โ the client sends `harv_hit` directly
- The `sendHarv` function was an invention that happened to work
- Real harvest flow: `sendHarv` โ server returns `res_evt` with actionProof โ `sendHarvHit` with proof โ repeat until `h >= hm`
---
## Files
```
โโโ README.md # This file
โโโ reports/
โ โโโ findings.md # Full verified findings (F-001 through F-011)
โ โโโ kintara_compendium.md # Complete architectural compendium
โโโ exploits/
โ โโโ wild_loot_all.js # Multi-shard remote bag looter (F-011)
โ โโโ fabricate.js # Resource fabrication tool (F-001 + F-002)
โ โโโ gather-bot.js # Automated harvest bot (trees + rocks)
โ โโโ resource_pusher.js # Periodic save-backpack sync
โ โโโ inv_clean.js # Inventory cleaner (removes duplicate tools)
โ โโโ presenceWs.js # Headless WebSocket presence client
โโโ strix/
โโโ vulnerabilities.json # Strix engine output summary
โโโ vulnerabilities/ # Individual reports (vuln-0001 through vuln-0008)
```
---
## Remediation Summary
1. **F-011**: Validate loot distance against server-authoritative player position, not client-reported presence
2. **F-001**: Remove client-side resource mutation; track resources server-side exclusively
3. **F-006**: Add portal-check middleware for region transitions
4. **F-007**: Serve only a dedicated `/public/` directory; use positive allowlist
5. **F-008**: Proxy RPC calls through backend; never expose tokenized provider URLs to clients
6. **F-009**: Validate hash suffix; reject unmatched aliases
7. **Strix**: Add authentication middleware to spectate, property, and marketplace read endpoints
---
## Author
Security assessment conducted as part of AI/cybersecurity research program.
Platform: [kintara.gg](https://kintara.gg)