3. Point-of-Sale Password Recovery

Introduction

Sugarplum Mary in the Courtyard

Hey, wouldja' mind helping me get into my point-of-sale terminal?

It's down, and we kinda' need it running.

Problem is: it is asking for a password. I never set one!

Can you help me figure out what it is so I can get set up?

Shinny says this might be an Electron application.

I hear there's a way to extract an ASAR file from the binary, but I haven't looked into it yet.

Objective

Hints

• Electron Applications
• Electron ASAR Extraction

Solution

When the Santa Shop terminal is clicked there is an option to download an offline version of the Point of Sale software, https://download.holidayhackchallenge.com/2020/santa-shop/santa-shop.exe

santa.exe turns out to be a self-extracting executable and it is possible to open this with 7-Zip.

Goning into the $PLUGINSDIR open the application.

Inside the application and the resources directory is app.asar, which is the source code of the Electron application

This file can be opened using Notepad.

Looking through the source code, there is a hardcoded password.

If santa.exe is run then this password successfully unlocks the offline version of SantaPOS v1.0.

Answer

santapass