Tr3nch Setup Guide

Written with love by Hannah (Zeglol1234)

Finding Sh0vel

First thing's first, we need to find an installable extension that is vulnerable to Sh0vel, the bug that Tr3nch relies on to do most of its functions. Head over to chrome://extensions and the Chrome Webstore while signed in. On chrome://extensions, if you see GoGuardian anywhere, that will be the extension you use for Tr3nch. If you don't have either of those installed, and your sysadmin does not let you install them from the chrome webstore, you'll have to do a bit more digging.

If you already have GoGuardian installed, you're good to go, proceed to Entering Skiovox. If not, you'll have to find an extension that is vulnerable yourself. Here's how to do that. First, if you haven't already, install an extension you want to check. Next, navigate to chrome://extensions, find the extension you installed, and click the Details button on its card. In permissions, if it DOES NOT HAVE "Read your browsing history" (it can't actually by itself, the permission is extremely misleading), then the extension is guarunteed to not work with this. If it does, copy its ID (In the URL box, you should see something among the lines of chrome://extensions/?id=hegcdakijhbjghakcjaljmilmkcgekkd. The characters after "?id=" will be different for you. Copy the characters after "?id=". In the example I provided, the characters you will copy are "hegcdakijhbjghakcjaljmilmkcgekkd"), open a new tab, and go to chrome-extension://extension_id_here/manifest.json (in the example I provided, you would go to chrome-extension://hegcdakijhbjghakcjaljmilmkcgekkd/manifest.json).

On the manifest, press CTRL + F to open a search prompt. Use this to see if the following terms are present (without quotes):

- "activeTab"
- "unsafe-eval" (NOT wasm-unsafe-eval, that WILL NOT WORK!)
- "browser_action" or "browserAction"


If all of those are present, great! That extension is vulnerable to Sh0vel! Use this extension when continuing with the guide.

Entering Skiovox

First, when signed in, navigate to chrome://version while signed in to any account. If this is blocked, find some other way to figure out your chrome version.

The first number after directly after "Google Chrome:" is what matters. This number should be anywhere between 112 and 120. If it is lower than 112, this will still work, but the method for doing so will differ slightly.

If your number is inbetween or equal to those 2, follow the instructions here. If your number is 119 or 120, there are alternative instructions in The Titanium Network discord server.

Once you are in Skiovox, proceed to Using Skiovox Breakout.

Using Skiovox Breakout

Head over to The Skiovox Breakout Repo and click the Green "Code" Button. Press Download Zip. If prompted to, save it somewhere in your downloads folder. If nothing shows up, that's normal, continue anyway.

Navigate to chrome://extensions in a new tab, make sure the Developer Mode Switch in the top right of the page is enabled. Press the button in the top labelled Load Unpacked. An upload prompt should show. Right click the zip file with Skiovox Breakout in the name, select Extract All. Open the newly extracted skiovox breakout folder, then the folder skiovox-breakout-main. Press the Open button in the bottem right.

Open the url chrome-untrusted://crosh in a new tab. In the newly opened terminal, paste this code: vmc create-extra-disk --size=1 /home/chronos/user/MyFiles/Downloads/opener.txt
And press enter. The command should should report "A raw disk is created at /home/chronos/user/MyFiles/Downloads/opener.txt."

Open a new tab, click the folder icon in the bottom right (if it isn't there, you need to follow step 3 In the skiovox setup guide). The file manager should open. Open the Downloads folder and double-click the file opener.txt. A new window should open with a blank page, open a new tab and close the blank page. This is your school window.

On the school window, navigate to chrome://extensions in a new tab. Find the extension you determined was vulnerable to Sh0vel in step 1, and click its details page. In the URL box, you should see something among the lines of chrome://extensions/?id=hegcdakijhbjghakcjaljmilmkcgekkd. The characters after "?id=" will be different for you. Copy the characters after "?id=" (In the example I provided, the characters you will copy are "hegcdakijhbjghakcjaljmilmkcgekkd").

Without closing the school window, navigate back to the unblocked Skiovox window. Open the puzzle-piece icon in the top right, and select the extension Skiovox Breakout. In the box that contains "alert(1);", remove ALL TEXT from the box. In the box labelled "Place your extension ID here", paste the characters you copied from the school window into the box. Finally, click "Start Injection".

If all goes well, you should have recieved a prompt stating Skiovox Breakout is debugging this browser. Do NOT press cancel OR the X! Navigate back to the school window, it should still be on the details page you opened. Find a switch anywhere on the page, the most common switch is Allow Access to File URLs. Click it once or twice, and an alert box should appear. It will inform you to save a page in your bookmarks. To do this, copy the URL it informed you to save and close the prompt. Open a new tab in your school window, and press the star icon in the top right. A bookmark should be created in the top left. Right click it, and select Edit. Change the name to whatever you like, delete everything in the URL box, and paste the URL you copied in its place. Save the bookmark, and you're fully set up.

Injecting/Updating Tr3nch

If you're still in skiovox, sign out of the kiosk session and log in normally. Find the bookmark you created, right click it, and select Open in new tab. A page should open with a textbox and a button that says "Evaluate" on it. Using whatever method is convenient to you (The Titanium Network discord server again has a lot of tools to do this), navigate to The Source Code in an unblocked tab, open the file tr3nch.js, and copy its entire contents.

Next, navigate back to the page you opened with the textbox and button. Click the textbox, and paste the code you copied. Press the evaluate button. A new page should open. Bookmark this newly opened page, save it as named "Tr3nch Injector", or anything to help you remember what it is.

Once you've done this Tr3nch is now set up on your extension. Make sure that if the extension ever gets reset, disabled, or the computer signs out or restarts, you'll need to re-inject Tr3nch.

To do this, simply right-click the Tr3nch injector bookmark (NOT the skiovox breakout bookmark), and select "Open in new tab". Once you've done that, Tr3nch has been re-injected and you can close the tab that was opened.


To ensure things are stable and you have access to as many features as possible, you'll want to occasionally update Tr3nch. To do this, simply redo the steps you did in the start of this section (copying tr3nch.js's contents and past that) and Tr3nch should be updated for you.

Loading the Tr3nch Menu

To load the Tr3nch menu with its full capabilities, you need to enable a specific flag first. To do this, navigate to chrome://flags in a new tab, preferably after you've loaded Tr3nch into your extension. A new window should appear. In the search bar in the top, search for "extensions-on-chrome-urls". A single flag should appear, click the box set it to enabled. If prompted to, click the restart button.

Once the flag has been set, do not disable it. You will only have to enable it once for this to work persistently. Now, you have some options. There are a lot of pages you can choose to run Tr3nch on, each with their own capabilities. Some of the most powerful URLs are chrome://os-settings, chrome://setttings, chrome://extensions, chrome://chrome-signin, chrome://inspect, chrome://file-manager, chrome://network, and chrome://oobe (chrome://oobe most likely won't work for you, if it doesn't do not make an issue, this is not fixable!).

Open of those URLs in a new tab, and while viewing it, click the icon of the extension you injected Tr3nch into (if it isn't in the top right, check the puzzle piece icon). If done successfully, Tr3nch should load in instantly.

Read this, this is important! If the URL you were trying to open opens a new window instead of opening as a tab (chrome://os-settings and chrome://file-manager beng the primary examples), you will first need to load Tr3nch on any normal url, scroll down to the Quick Navigation section, and select the url you were trying to open, and then it will open as a normal tab. From there, continue with loading Tr3nch normally.


Once you're in the Tr3nch menu, there are a large number of different options, but what is shown depends on what page you're viewing. No page will show all of the possibilities, but some of the things it can do are:

- Run code on the current extension, content script, or chrome url itself
- Disabling/Loopkilling managed extensions
- Restart, Sign Out, or Powerwash in the click of a button
- Add user gmails or profiles to your school account
- Change the network state
- Open an unblocked webview tab invisible to most filters
- (Sometimes) Open devtools on any page or extension
- Change site settings for any page
- Update the OS and pause/resume automatic updating


And a bit more.



If you made it this far, thanks for taking the time to read over this! Consider joining the Whelement Discord, we'd love to have you here!

Credits

Developed and brought to you by Whelement.

Zeglol1234: The idea, main developer
Writable: Skiovox Breakout implementations (Not affiliated with this project directly)
Bypassi: Add gmails exploit (Not affiliated with this project directly)
Notboeing747: Misc development and testing
Kxtz: Misc development and testing
Archimax: GUI inspiration
Kelsea: The logo
Katie: Testing
Evelyn: Meowing
The rest of Whelement: Mental support