stegofreemedium

Take a Slice

umasscybersec

Task: a file named `cake` looked like opaque binary data, but its structure matched a binary STL 3D mesh with hidden geometry. Solution: parse triangles, isolate disconnected mesh components, project the small hidden meshes with PCA, and render filled projected triangles to read `UMASS{SL1C3_&_D1C3}`.

$ ls tags/ techniques/

pca stl binary_stl mesh_steganography hidden_geometry 3d_model

binary_stl_parsingconnected_component_isolationpca_projectionprojected_triangle_rendering

Take a Slice — UMass Cybersecurity CTF

Challenge

It's in the name!

The challenge provided a single file named cake. It was not immediately recognized as a common media format, so the goal was to identify the container first and then determine where the hidden data was actually stored.

Recon

Basic triage did not reveal anything obvious:

file cake
# data

That ruled out easy wins like plain text, images, archives, or obvious appended content. A quick hex look was more useful: the file had a mostly zero 80-byte header followed by data that looked structured rather than random.

That pattern strongly suggested a binary STL file:

80-byte header
4-byte little-endian triangle count
then 50 bytes per triangle

Parsing offset 80 as a little-endian uint32 gave a triangle count of 39210, which is exactly what a binary STL stores after the header. The geometry bounds were approximately:

x: [-1.347, 59.055]
y: [-2.54, 43.105]
z: [0, 25.4]

So the mystery cake file was really a 3D model.

The binary STL record layout is:

12 bytes: normal vector (float32 x 3)
36 bytes: 3 vertices (float32 x 9)
2 bytes: attribute field

No useful strings or metadata were present. The flag was hidden in the mesh itself.

Analysis

At this point, the main question was whether the model geometry itself encoded something visual. There were no relevant STL-specific hits in the existing knowledge base or HackTricks, so the solve path came from direct geometry analysis.

Plotting raw projections of all triangles from the top, front, and side views produced suspicious artifacts. They were not fully readable, but they looked too structured to be accidental. The helper renders in the task directory captured this stage:

...

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires auth)

Sign in to read this free writeup

This writeup is free — just sign in with GitHub to read it.

$ssh [email protected]