Mercure’s Signature Dish Writeup


Hotel Me.Mercure is an online secret food ordering platform. Find a way to order their signature dishes!


A URL is provided, which leads to a login page. The challenger has to login using username and password, but as we know the password is not given (username is provided).

After logging in, you can find a PDF file, which is also protected by a password. Inside the PDF, the flag is hidden. You have to find out the password to login and also you have to crack the password of the pdf file.

1. Brute force the login page using rockyou.txt file to crack the login page password.

dish 1

2. After login there will be a PDF file, which is also protected by password.

dish 2

3. Use “John the Ripper” to crack the password for this file, and the flag will be hidden in the PDF. A simple text hiding method was used to hide the flag.

dish 3

Jishnu Vijayan
Security Engineer

Related Articles