M 105: Plaintext Login (15 pts)

What You Need for This Project

Purpose

To observe network transmissions from an insecure app, and prove that they are not encrypted properly.

Background

This problem is gaining recognition, so few apps still have this flaw. The app below used plaintext network transmission on Mar 26, 2021, but eventually it may be fixed or removed.

Installing a Vulnerable App

On your Android device, in Google Play, find and install the app shown below.

Archived APK

If you don't have access to Google Play, use this archived copy of the app:

traveler.apk

Starting Wireshark

On your host system, launch Wireshark. If you don't have it, get it at:

https://www.wireshark.org/

In the main Wireshark window, double-click the network interface that is being used to reach the Internet. On my system, it is "Wi-Fi: en0", outlined in green in the image below.

Wirehark starts displaying packets. At the top, in the Filter bar, enter this display filter:

http
Press Enter to filter the traffic.

On your Android device, in the vulnerable app, enter any email and password into the login page, as shown below.

Wireshark shows a GET request to /Webservice/user_login.ashx. Click that line and expand the "Hypertext Transfer Protocol item in the lower pane, as shown below.

M 105.1: Host (15 pts)

Find the text covered by a green box in the image above. That's the flag.

Responsible Disclosure

I notified the developer in 2017.
Converted to a CTF 2-28-19
Wireshark image fixed 1-29-2020
Updated 1-20-21
Updated to use Traveler app 3-26-2021