Portal Noncense

Technical Walkthrough

Writeup

Challenge

• Name: Portal-Noncense
• Category: Blockchain
• Difficulty: Medium
• Mode: hybrid

Summary

Portal Noncense was solved by using deterministic CREATE addresses. The PortalStation contract hardcoded the orcKingdom destination to an address that had no code yet. Live nonce analysis showed that the player account would deploy a contract exactly at that address when its nonce reached 130.

After advancing the player nonce, a connector contract was deployed at the hardcoded orcKingdom destination. Calling createPortal("orcKingdom") then delegatecalled into the connector, whose connect() function set isPortalActive["orcKingdom"] = true in PortalStation storage.

Artifact Inventory

• files/extracted/blockchain_portal_noncense/Portal.sol: vulnerable portal station logic.
• files/extracted/blockchain_portal_noncense/Setup.sol: solved condition.
• analysis/live-readonly-probe.json: live destination, code, and solved-state probe.
• analysis/nonce-address-analysis.txt: proof that player CREATE nonce 130 maps to the hardcoded orcKingdom address.
• solve/OrcConnector.sol: connector contract deployed at the deterministic destination.
• solve/solve.py: reusable read-only and execute solver.
• analysis/solve-run-summary.json: successful transaction receipts and solved-state proof.

Analysis

Setup.isSolved() returns TARGET.isPortalActive("orcKingdom"). The direct requestPortal() route is impractical because isExpertStandby is false and the payable requirement is greater than 1337 ether.

The real route is createPortal(destination), which performs a delegatecall into destinations[destination] and expects connect() to return true. Read-only probing showed that destinations("orcKingdom") pointed to 0xFC31...4007, but that address had no code.

The nonce analysis proved this was not random: with the live player account at nonce 0, the standard CREATE address at nonce 130 matched the hardcoded orcKingdom destination. That meant the player could burn 130 nonces, deploy code at the exact destination address, and then make createPortal("orcKingdom") execute that code through delegatecall.

The connector contract mirrors the storage prefix of PortalStation, so under delegatecall, assigning isPortalActive["orcKingdom"] = true writes to the target contract's mapping slot.

Solve

Read-only validation:

python3 Blockchain/Portal-Noncense/solve/solve.py \
  --base-url http://<TARGET>:32209 \
  --workspace Blockchain/Portal-Noncense \
  --readonly

Execution through the harness:

python3 scripts/challenge_exec.py Blockchain/Portal-Noncense \
  --phase <secret redacted> \
  --output analysis/solve-run-summary.json \
  -- python3 Blockchain/Portal-Noncense/solve/solve.py \
    --base-url http://<TARGET>:32209 \
    --workspace Blockchain/Portal-Noncense \
    --execute

The execute run burned nonce up to 130, deployed OrcConnector at the hardcoded orc destination, called createPortal("orcKingdom"), confirmed Setup.isSolved() == true, and wrote the flag candidate to loot/flag-candidate.txt. The harness captured the final flag into loot/flag.txt.

The challenge backend reset to an initial-looking state after the /flag request. The reliable evidence is the transaction summary showing successful connector deployment at the hardcoded destination, successful createPortal, and setup_solved_after: true.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Hardcoded addresses can be future deterministic CREATE addresses.
• Nonce manipulation is a valid blockchain exploit primitive when a contract trusts code at a not-yet-deployed address.
• delegatecall lets destination code mutate caller storage, so storage layout compatibility matters.
• Snapshot important solved-state data before calling /flag, because challenge infrastructure may reset after successful flag retrieval.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Portal-Noncense
• Category: Blockchain
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-12T23:24:49Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

-

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Blockchain
• Challenge: Portal-Noncense
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Audit Setup.sol: solved when TARGET.isPortalActive("orcKingdom") is true.
2. Audit Portal.sol: requestPortal() is impractical due isExpertStandby and high ETH requirement; createPortal() uses delegatecall into destinations[_destination].connect().
3. Probe live destination addresses and confirm the hardcoded orcKingdom destination has no code.
4. Compute standard CREATE addresses for the player account.
5. Identify that player nonce 130 deploys to the exact hardcoded orcKingdom destination.
6. Compile a connector contract with matching storage layout prefix and connect() that sets isPortalActive["orcKingdom"] = true.
7. Burn player nonce up to 130, deploy connector at the destination, call createPortal("orcKingdom"), and confirm Setup.isSolved().
8. Fetch and harness-capture the flag.

Reusable Lessons

• CREATE address prediction can be an intended exploit path when contracts point to not-yet-deployed addresses.
• Nonce burning through zero-value transactions is enough to reach a target CREATE nonce on Anvil-style HTB chains.
• delegatecall executes callee code against caller storage; matching storage layout or direct storage-slot writes can mutate target state.
• Record solved-state evidence before fetching /flag, because some challenge backends reset or rotate after flag retrieval.

Dead Ends

• requestPortal("orcKingdom") is not viable because the expert standby flag is false and the ETH requirement is intentionally unrealistic.
• Treating the destination addresses as existing contracts is misleading; live code at the hardcoded destinations was empty.
• RAG did not contain challenge-specific memory for this solve.

Tool Quirks

• Plain JSON-RPC was sufficient; no Python web3 dependency was needed.
• npx solc@0.8.13 compiled the connector when no native solc was available.
• The final flag request reset the live state, so future solvers should snapshot nonce/code/solved state before calling /flag.

Evidence Paths

• analysis/source-audit.md
• analysis/live-readonly-probe.json
• analysis/nonce-address-analysis.txt
• analysis/readonly-nonce-validation.json
• solve/solve.py
• solve/OrcConnector.sol
• analysis/solve-run-summary.json
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches