Write a quick shell script to iterate through a dictionary file or otherwise programmatically generate a list of *.html entries to feed wget and keep trying until you hit the correct one.
You may also want to get a copy of CUPP (search for it) to generate a dictionary for you.
Personally this sounds more like an attempt at security through obscurity then any actual valid security mechanism. If all it comes down to is guessing the correct name for the file that's hardly a daunting task (especially if there's ever more than one use).
Additionally, if pass.html is really the method he's using then use of a public machine or non-private computer would reveal the "password" via browser history, which seems pretty stupid.