Skip to content

Objective #3 - Point-of-Sale Password Recovery

Objective

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What's the password?

Analysis

When you click on the terminal, you'll discover that it is locked out. Click on the provided link to download santa-shop.exe and perform off-line analysis to recover the password.

Screenshot of locked out point-of-sale terminal

Tip

Be sure to pick up the broken candy cane on your way into Santa's Castle. Explore the castle and pick up any other objects you see, as these will come in handy later.

Tip

Download a Windows virtual machine from Microsoft to use during this objective so you don’t have to install anything directly onto your computer.

Solution

Step 1: Install santa-shop.exe. You'll find its program files are unpacked in %USERPROFILE%\AppData\Local\Programs\santa-shop\

Step 2: The LICENSE.electron.txt file hints that this program was written using Electron, an open-source framework for developing desktop applications using web technologies.

Step 3: Download and install NodeJS, and then install the asar module.

> npm install -g asar

Step 4: Unpack the app.asar file to reveal the application’s source code.

> cd %USERPROFILE%\AppData\Local\Programs\santa-shop\resoures

> md source

> asar extract app.asar source

Step 5: Open main.js and find the password. If you weren’t quite sure where to find it, the README.md file provides a hint on which file to look in.

Password shown in main.js

Answer: santapass