SANS Holiday Hack Challenge 2020: Objective 3— Point-of-Sale Password Recovery
Each year, the SANS and Counter Hack Challenges teams put together my favorite capture the flag (CTF) competition, the SANS Holiday Hack Challenge. The 2020 SANS Holiday Hack Challenge, featuring KringleCon 3: French Hens! was held at Santa’s newly renovated castle at the North Pole from December 10, 2020 to January 11, 2021. This is a walk-through for an objective from the event.
Objective 3) Help Sugarplum Mary in the Courtyard find the supervisor password for the point-of-sale terminal. What’s the password?
Upon logging into the PoS system, I got a message indicating it was locked out and I would have to download the offline version to inspect it.
I learned that the PoS system is likely an electron app and there may be a way to extract the ASAR file out of the app from Sugarplum Mary. To get started, I downloaded the santa_shop.exe file. I couldn’t find a good way to get to the asar file from the executable itself, so I ran the executable on a Windows VM to see what would happen. Turns out, it installed the app. From there, I was able to navigate to the install directory (C:\Users\<username>\AppData\Local\Programs\santa-shop) and under the resources folder, I found app.asar.
Next, I installed node.js which comes with npm. Then I installed the asar npm module and ran the command
asar extract app.asar sourcecode. This extracted the full source code of the app into a folder named
sourcecode. From here, I opened the main.js file because it seemed like a good place to start. And sure enough, I found the password here.
Objective 3 Answer: santapass
Interested in learning more about the 2020 SANS Holiday Hack Challenge? Check out my other walk-throughs available here.