Objective 3: Point-of-Sale Password Recovery

Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What's the password?

Sugarplum Mary is located in the rear courtyard.

Clicking on the terminal, I'm met with:

Downloading the offline version is just an executable. Opening it gives me a password prompt as shown above. Luckily, the executable is an electron application, a javascript-based interface application that can be decompiled.

To do that, first I would ensure that npm (Node Package Manager) is installed on my machine. I have a Windows VM that I use for things like this, so I went and installed it, then ran:

npm -g install asar

asar is basically a variant of tar to a degree, used to package up electron application code into an .asar file. First, navigate to the installed electron app's directory. In this case, I went to C:\Users\agr0\AppData\Local\Programs\santa-shop\resources\

And there was the .asar file, app.asar. To extract I simply ran the following:

And it extracted everything into the src directory. From there I navigated to app.js, and lo and behold I saw the following:

Don't place passwords hard-coded into your apps! Password is: santapass.