First of all I was doing all of this on my touchscreen phone, which made me give up soon, as my laptop was packed in the garage.
I used a program called Packet capture that registers as a VPN connection in Android and routes all traffic trough itself. I saw some external IPs with TLS data when visiting the captive portal: http://upload.4a.si/pcap.jpg
When I sent a request to one IP address, I learned from the response that I've reached a fastly endpoint. The response was an error page, claiming they host no one with this domain. I knew from a talk by reddit sysadmins that they use the fastly CDN, so I added a Host header with a value of old.reddit.com:
Then I added a rule in software AdAway for Android (this one is used for DNS blacklisting to remove ads based on DNS queries and requires root access - changes /etc/hosts AFAIK) to overwrite old.reddit.com to this IP address.
I can't remember how I tricked the web browser into ignoring invalid certs.
I used a program called Packet capture that registers as a VPN connection in Android and routes all traffic trough itself. I saw some external IPs with TLS data when visiting the captive portal: http://upload.4a.si/pcap.jpg
When I sent a request to one IP address, I learned from the response that I've reached a fastly endpoint. The response was an error page, claiming they host no one with this domain. I knew from a talk by reddit sysadmins that they use the fastly CDN, so I added a Host header with a value of old.reddit.com:
curl -ikH Host:\ old.reddit.com https://151.101.0.176/r/Slovenia.json
Then I added a rule in software AdAway for Android (this one is used for DNS blacklisting to remove ads based on DNS queries and requires root access - changes /etc/hosts AFAIK) to overwrite old.reddit.com to this IP address.
I can't remember how I tricked the web browser into ignoring invalid certs.