Tr3nch
Whelement

Website GitHub Discord Source

Running scripts in Chrome pages with SKIOVOX Breakout and Sh0vel.

Finding Sh0vel

Sh0vel is necessary for Tr3nch to perform most of its functions.

    Instructions

    Check installed extensions
  1. Navigate to chrome://extensions.
  2. Check if any installed extensions contain the "Read your browsing history" permission.

    Find an extension to check.

    Click Details in the extension card.

  3. If necessary extensions are not installed
  4. Navigate to the Chrome Web Store.
  5. Find an extension that contains the "Read your browsing history" permission.
  6. Navigate to the extension's Chrome Web Store details page.
  7. Click Add to Chrome.
  8. Get the extension ID
  9. Navigate to chrome://extensions.
  10. Open the details page of the extension you installed.
  11. Copy the 32-character extension ID from the address bar after ?id=.
  12. Navigate to the manifest page of the extension you installed.
  13. Check if the unsafe-eval, browser_action, and browser_action text occurrences are present in the manifest file.

    Press Ctrl + F.

    Enter one of the strings provided in this step.

  14. If any of the previously listed text occurrences are not present in the manifest file, restart these steps and use a different extension. This would indicate that the extension is not fully compatible.

Performing the Exploit

    Instructions

  1. Enter a kiosk profile with SKIOVOX performed.
  2. Navigate to the SKIOVOX Breakout GitHub repository.
  3. Click the Code button.
  4. Click Download ZIP.
  5. If a download prompt opens, save the file to the Downloads folder.
  6. Navigate to chrome://extensions.
  7. Flip and enable the Developer Mode switch on the extensions page.
  8. Click Load unpacked. An upload prompt should open.
  9. When the upload prompt opens, right click the downloaded ZIP file.
  10. Select Extract all.
  11. In the extracted folder > skiovox-breakout-main, click Open in the bottom right of the prompt.
  12. Navigate to chrome-untrusted://crosh.
  13. Run vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt. It should return "A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt."
  14. Open a new tab.
  15. If the default New Tab page loads, install the SKIOVOX Helper extension in a new tab before proceeding.
  16. Click the folder icon in the bottom right. The file manager should open.
  17. In the file manager, navigate to Downloads.
  18. Open the opener.txt file. A new window should open with a blank page tab. This window is managed by your organization.
  19. Open a new tab.
  20. Close the blank page tab.
  21. Navigate to chrome://extensions.
  22. Open the details page of the extension you previously chose to install in your managed profile.
  23. Copy the extension ID as done previously.
  24. Return to the regular window that is not managed by your organization.
  25. Click the extensions extension icon in the toolbar.
  26. Click and activate the Skiovox Breakout extension.
  27. In the input field for the extension ID, enter the ID of the extension you previously chose to install in your managed profile.
  28. Set the textarea text to the script you want to run.
  29. Click Start injection.

Loading the Tr3nch Menu

You should load Tr3nch into an extension before proceeding.
  1. Navigate to chrome://flags.
  2. Locate and enable the extensions-on-chrome-urls flag.
  3. Click Restart.
  4. After the restart, navigate to chrome://os-settings, chrome://setttings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, or chrome://oobe.
  5. Click the extensions extension icon in the toolbar.
  6. Click and activate the extension with the injected script. The Tr3nch menu should launch.

Credits

User Description
Zeglol1234 Main developer
Writable SKIOVOX Breakout implementations
Bypassi Add Gmails exploit
NotBoeing747 Misc development & testing
Kxtz Misc development & testing
Archimax GUI inspiration
Kelsea Logo
Katie Testing