sure, they would just hijack the outgoing TCP port 80 connection when you try to open a non HSTS domain. (and of course it could try to a port 443 with a fake cert thing too.)
also, there can be standardized portal lookup/discovery methods (this RFC has already expired, but it's likely that the effort will continue: https://tools.ietf.org/html/draft-pfister-capport-pvd-00 this seems to work with IPv6 only, as it builds on ICMPv6 Router Advertisement, but "provisioning domains" could simply be a DHCP data type too)
