Skip to content

Point-of-Sale Password Recovery#

In this objective, we'll be pulling apart an application to find a hardcoded password. To get the hints, complete the Linux Primer terminal first.

Objective#

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What's the password?

Difficulty: 1/5

Sugarplum Mary's dialog:#

Hey, wouldja' mind helping me get into my point-of-sale terminal?
It's down, and we kinda' need it running.
Problem is: it is asking for a password. I never set one!
Can you help me figure out what it is so I can get set up?
Shinny says this might be an Electron application.
I hear there's a way to extract an ASAR file from the binary, but I haven't looked into it yet.

Hints#

It's possible to extract the source code from an Electron app.
There are tools and guides explaining how to extract ASAR from Electron apps.

Solution#

Electron is a framework for developing native applications with web technologies such as JavaScript, HTML, and CSS. From the guide on medium, it's possible to extract the source code of the application. We'll use the guide as a basis to finding and viewing the source code to the Santa Shop application.

Opening the Santa Shop terminal displays the following screen:

Santa Shop dialog

We're presented with a link to download the application for offline analysis. Downloading the file and running the file command on it gives us some details on what type of application we're dealing with:

file command on santa-shop.exe

The important piece of information file returned is Nullsoft Installer self-extracting archive. While we could transfer the executable to a Windows machine and run the installer, it's easier to use a tool like 7zip to just extract the installation files:

Extracting santa-shop.exe installer

This gives us the installer files, but unfortunately we don't yet have the .asar file that contains the application source. Looking in the $PLUGINSDIR directory, there is a app-64.7z file which looks promising. Let's create a directory to store it's contents, extract it with 7-zip, and use the find command to look for any .asar files:

Extracting app-64.7z file

Aha, there is a file app.asar in the resources directory. From the guide, we need to use the asar utility from node.js to work with the file. After installing node.js and adding the asar command, we can run npx asar list command on app.asar to see a list of the application source code:

Contents of app.asar

npx asar extract {filename} {directory} is used to extract the source files from {filename} into {directory}. Extracting the source to a src directory and viewing the README.md tells us that the password is at the top of the file main.js:

Finding Santa's password

And there is Santa's password, in cleartext in the application source code.

Answer#

santapass