Distract And Destroy
Distract And Destroy is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Distract And Destroy attack path
Distract And Destroy is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on Blockchain evidence, validation, and reusable operator lessons.
Walkthrough flow
Artifact review
Hypothesis
Validated solve path
Proof captured
Source coverage
High source coverage
Status: complete. This article is generated from 6 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Blockchain/Distract-and-Destroy/writeup.md
- htb-challenge/Blockchain/Distract-and-Destroy/notes.md
- htb-challenge/Blockchain/Distract-and-Destroy/memory-summary.md
- htb-challenge/Blockchain/Distract-and-Destroy/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Blockchain__Distract-and-Destroy__memory-summary.md.8d9ce1a098.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Blockchain__Distract-and-Destroy__notes.md.e412d86de5.md
Technical Walkthrough
Writeup
Challenge
- Name: Distract-and-Destroy
- Category: Blockchain
- Difficulty: Very Easy
- Mode: remote
Summary
The launcher exposed a funded private key, player address, setup address, target address, and RPC endpoint. The Creature contract only loses life when attacked by a contract after aggro has first been set by a different sender, so the solve path was to refresh the live connection info, deploy one helper to set aggro, and a second helper to deal 1000 damage and immediately loot the target balance, making Setup.isSolved() true.
The launcher exposed the private key, player address, setup address, target address, and RPC endpoint. The Creature contract only loses life when attacked by a contract after aggro has first been set by a different sender, so the solve path was to deploy one helper to set aggro and a second helper to deal 1000 damage and immediately loot the target balance, making Setup.isSolved() true.
Artifact Inventory
analysis/connection_info.http— initial launcher credentials and addresses.analysis/connection_info-live.json— refreshed live credentials and addresses used for the final solve.analysis/extracted/blockchain_distract_and_destroy/Creature.sol— challenge contract source.analysis/extracted/blockchain_distract_and_destroy/Setup.sol— setup/win-condition source.analysis/solve-result.json— post-exploit state showingisSolved=true.analysis/flag-response.txt— raw flag response before harness capture.solve/solve.py— reproducible exploit.
analysis/connection_info.http— live chain credentials and contract addresses.analysis/extracted/blockchain_distract_and_destroy/Creature.sol— challenge contract source.analysis/extracted/blockchain_distract_and_destroy/Setup.sol— setup/win-condition source.analysis/solve-result.json— post-exploit chain state showingisSolved=true.analysis/flag-response.txt— raw flag response before harness capture.solve/solve.py— reproducible exploit.
Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.
Analysis
Setup.isSolved() returns true when the target contract balance reaches zero. Creature.attack() only subtracts damage when _isOffBalance() is true and aggro != msg.sender. Because _isOffBalance() checks tx.origin != msg.sender, calls must come from contracts, not EOAs. The first helper contract calls attack(0) to set aggro to its own address. The second helper contract then calls attack(1000) as a different contract address, satisfying both conditions and reducing lifePoints to zero, then calls loot() to drain the balance.
Setup.isSolved() returns true when the target contract balance reaches zero. Creature.attack() only subtracts damage when _isOffBalance() is true and aggro != msg.sender. Because _isOffBalance() checks tx.origin != msg.sender, calls must come from contracts, not EOAs. The first helper contract calls attack(0) to set aggro to its own address. The second helper contract then calls attack(1000) as a different contract, satisfying both conditions and reducing lifePoints to zero, then calls loot() to drain the 10 wei balance.
Solve
The solver refreshes /connection_info at runtime to avoid stale setup/target addresses after resets, then uses web3 and py-solc-x to compile and deploy two tiny helper contracts. One sets aggro, the second attacks for 1000 damage from a different contract address and then calls loot(). After verifying Setup.isSolved(), the solver fetches /flag.
The solver uses web3 and py-solc-x to compile and deploy two tiny helper contracts. The first constructor sets aggro on the target. The second constructor attacks for 1000 damage from a different contract address and then calls loot(). After the deployments, the solver verifies Setup.isSolved() and fetches /flag.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
When blockchain challenge launchers expose connection info via HTTP, refresh that data immediately before exploitation rather than trusting previously fetched addresses. Here the core bug was still tx.origin != msg.sender, but stale launcher addresses would make an otherwise correct exploit fail silently.
When a blockchain launcher directly exposes a funded private key and contract addresses, read the docs and source before installing heavy tooling. Here the intended trick was understanding tx.origin != msg.sender and using two contract deployments rather than a direct EOA transaction.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Distract-and-Destroy
- Category: Blockchain
- Difficulty: Very Easy
- Mode: remote
- Remote instance: <TARGET>:31125
- Start time: 2026-06-07T08:49:07Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c7364-9b9a-4d8e-8962-f159bb1ca444.zip | 1317 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-07T08:49:07Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-07T08:49:07Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-07T08:49:07Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-06-07T08:49:07Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-06-07T08:49:07Z | research task | analysis/research/task-20260607T084907737435Z-82fa3913.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-07T08:56:02Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-07T08:56:54Z | checkpoint recorded | analysis/checkpoint-triage-20260607T085654871477Z-5f0cfd7c.md | Checkpoint for TRIAGE | High | Use checkpoint to drive next decision |
| 2026-06-07T08:58:51Z | checkpoint recorded | analysis/checkpoint-analysis-20260607T085851850234Z-2c94b9d8.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-07T09:02:55Z | Deployed two helper contracts through exposed RPC and private key | analysis/solve-result.json, analysis/flag-response.txt | First helper set aggro, second helper attacked from a different msg.sender for 1000 damage and looted the target balance; Setup.isSolved() returned true and /flag returned the HTB flag. | High | Capture flag through harness and complete workspace. |
| 2026-06-07T09:05:55Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-07T09:05:55Z | Deployed two helper contracts using refreshed connection_info | analysis/connection_info-live.json, analysis/solve-result.json, analysis/flag-response.txt | Refreshing the launcher data exposed live setup/target addresses; the first helper set aggro, the second helper attacked from a different msg.sender for 1000 damage and looted the target balance. Setup.isSolved() became true and /flag returned the HTB flag. | High | Capture the flag through the harness and complete the workspace. |
| 2026-06-07T09:06:54Z | evaluator | analysis/evaluator-20260607T090654886703Z-19d0524a.md | Proceed | High | Use analysis/flag-response.txt to capture the flag and then run the completion gate. |
| 2026-06-07T09:06:55Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Scenario
After defeating her first monster, Alex stood frozen, staring up at another massive, hulking creature that loomed over her. She knew that this was a fight she could not win on her own. She turned to her guildmates, trying to come up with a plan. "We need to distract it," Alex said. "If we can get it off balance, we might be able to take it down." Her guildmates nodded, their eyes narrowed in determination. They quickly came up with a plan to lure the monster away from their position, using a combination of noise and movement to distract it. As they put their plan into action, Alex drew her sword and waited for her chance.
Operator Question
Analyze the provided Blockchain challenge artifact and live target host, identify the smart contract or blockchain interaction required, exploit or solve it reproducibly, and capture the HTB flag.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Blockchain
- Challenge: Distract-and-Destroy
- Difficulty: Very Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | initial triage from supplied challenge metadata | challenge name, category, difficulty, scenario, and remote target were provided by operator | inventory files / inspect app surface / map routes depending on category | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Memory Summary
approval_required: true
Sanitized Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Blockchain
- Challenge: Distract-and-Destroy
- Difficulty: Very Easy
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Notes
Notes
Scope
- Challenge: Distract-and-Destroy
- Category: Blockchain
- Difficulty: Very Easy
- Mode: remote
- Remote instance: <TARGET>:31125
- Start time: 2026-06-07T08:49:07Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c7364-9b9a-4d8e-8962-f159bb1ca444.zip | 1317 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-07T08:49:07Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-07T08:49:07Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-07T08:49:07Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-06-07T08:49:07Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-06-07T08:49:07Z | research task | analysis/research/task-20260607T084907737435Z-82fa3913.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-07T08:56:02Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-07T08:56:54Z | checkpoint recorded | analysis/checkpoint-triage-20260607T085654871477Z-5f0cfd7c.md | Checkpoint for TRIAGE | High | Use checkpoint to drive next decision |
| 2026-06-07T08:58:51Z | checkpoint recorded | analysis/checkpoint-analysis-20260607T085851850234Z-2c94b9d8.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
2026-06-07T09: <REDACTED>, analysis/flag-response.txt | First helper set aggro, second helper attacked from a different msg.sender for 1000 damage and looted the target balance; Setup.isSolved() returned true and /flag returned the HTB flag. | High | Capture flag through harness and complete workspace. | ||
| 2026-06-07T09: <REDACTED> | |||||
2026-06-07T09: <REDACTED>, analysis/solve-result.json, analysis/flag-response.txt | Refreshing the launcher data exposed live setup/target addresses; the first helper set aggro, the second helper attacked from a different msg.sender for 1000 damage and looted the target balance. Setup.isSolved() became true and /flag returned the HTB flag. | High | Capture the flag through the harness and complete the workspace. | ||
| 2026-06-07T09: <REDACTED> | |||||
| 2026-06-07T09:06:55Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Scenario
After defeating her first monster, Alex stood frozen, staring up at another massive, hulking creature that loomed over her. She knew that this was a fight she could not win on her own. She turned to her guildmates, trying to come up with a plan. "We need to distract it," Alex said. "If we can get it off balance, we might be able to take it down." Her guildmates nodded, their eyes narrowed in determination. They quickly came up with a plan to lure the monster away from their position, using a combination of noise and movement to distract it. As they put their plan into action, Alex drew her sword and waited for her chance.
Operator Question
Analyze the provided Blockchain challenge artifact and live target host, identify the smart contract or blockchain interaction required, exploit or solve it reproducibly, and capture the HTB flag.
Technical analogy
How to remember this solve
Think of the smart contract like a transparent bank ledger with strict but imperfect rules. The trick is to make the rules execute in an order the author did not protect against.
For Distract And Destroy, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.