$ cat writeup.md…
$ cat writeup.md…
hackthebox
Task: Smart contract creature with 1000 HP that requires specific conditions to damage. Solution: Exploit tx.origin vs msg.sender difference by setting aggro directly, then attacking through an intermediary contract to bypass the _isOffBalance() check.
$ cat /etc/rate-limit
Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.
We are given a smart contract of a creature with 1000 health points. Our task is to reduce its health to zero and claim the "loot", which marks the challenge as solved.
The challenge presents two main contracts: Setup.sol and Creature.sol.
The contract contains the following key elements:
lifePoints: initial value of 1000.aggro: the address that first attacked the creature.attack(uint256 _damage): function to deal damage._isOffBalance(): helper function that checks the condition tx.origin != msg.sender.function attack(uint256 _damage) external { if (aggro == address(0)) { aggro = msg.sender; } if (_isOffBalance() && aggro != msg.sender) { lifePoints -= _damage; } else { lifePoints -= 0; } }
Conditions for dealing damage:
_isOffBalance() must be true, meaning tx.origin != msg.sender. This occurs when the contract is called by another contract, not directly by a user.aggro != msg.sender: the current caller (msg.sender) must not be the one holding "aggro".The vulnerability lies in the aggro check logic and the use of tx.origin.
tx.origin is the wallet address that initiated the transaction.msg.sender is the address of the immediate call sender.If we call attack through an intermediary exploit contract, then msg.sender will be the exploit's address, while tx.origin will be our wallet. This satisfies the _isOffBalance() condition.
However, if we simply call the exploit first, it will become the aggro, and the condition aggro != msg.sender (where both are the exploit's address) will not be satisfied.
...
$ grep --similar