M 105: Plaintext Login (15 pts)

What You Need for This Project


To observe network transmissions from an insecure app, and prove that they are not encrypted properly.


This problem is gaining recognition, so few apps still have this flaw. Clear Messenger, which was used used in an earlier version of this project, but that app has been removed from Google Play, as of Feb 10., 2019.

So please use one of these apps instead. They all used plaintext network transmission on Feb 10, 2019, but eventually they may be fixed or removed.

Installing a Vulnerable App

On your Android device, in Google Play, find and install the app shown below.

Archived APK

If you don't have access to Google Play, use this archived copy of the app:


Starting Wireshark

On your host system, launch Wireshark. If you don't have it, get it at:


In the main Wireshark window, double-click the network interface that is being used to reach the Internet. On my system, it is "Wi-Fi: en0", outlined in green in the image below.

Wirehark starts displaying packets. At the top, in the Filter bar, enter this display filter:

Press Enter to filter the traffic.

On your Android device, in the vulnerable app, use the "Create Account" page to make an account.

Wireshark shows two POST requests, as shown below.


If you don't see any packets, try these fixes:
  • Click the red square button to stop the capture
  • From the menu, click Capture, Options
  • Choose a different network adapter
  • If the "Link-layer header" is set to "802.11...", scroll to the right and uncheck the monitor box
In the top pane of Wireshark, right-click the second POST request, the one ending in "add_user.php". and click Follow, "TCP Stream".

The request appears, containing your credentials, as shown below.

M 105: Parameter Name (15 pts)

Find the text covered by a green box in the image above. That's the flag.

Converted to a CTF 2-28-19
Wireshark image fixed 1-29-2020
Updated 1-20-21