Archived APK
This project requires the 2016 version of the app, which was the version in Google Play in April, 2019, when I wrote this project. If that version is no longer available, use this archived copy of the app:
Fill in the form, as shown below, but don't click the "Sign Up" button yet.
In the main Wireshark window, double-click the network interface that is being used to reach the Internet. On my system, it is "Wi-Fi: en0", outlined in green in the image below.
Wirehark starts displaying packets. At the top, in the Filter bar, enter this display filter:
http
Press Enter to filter the traffic.
On your Android device, in EquityPandit, click the "Sign Up" button.
In Wireshark, two POST requests appear, as shown below.
Right-click the second POST request, the one calling "add_user.php", and click Follow, "TCP Stream".
The request appears, as shown below, containing your username and password in plaintext.
To record your success, email that flag to us as shown at the bottom of this page.
Execute a login request. The flag is the domain name of the server it sends a POST request to.
Execute a login request. The flag is the domain name of the server it attempts to connects to.
From Kali, find your Android device with the netdiscover command.
Connect to it with adb connect.
Open a shell on the Android device with adb shell
Now you can use normal Bash commands, including these:
ls
cd
pwd
find
grep
nano
more
date
whoami
Find the locally stored copy of your password.
The name of the file containing it is the flag.
From Kali, find your Android device with the netdiscover command.
Connect to it with adb connect.
View the log with adb logcat
Find your password in the log, as shown below. The flag is the word covered by a green box in the image below.
Steal my password from the server. My password is the flag.
Note: I gave you permission to steal that password; don't steal other passwords without permission.