# 1- Spiking

**Spiking:** Finding the vulnerable Part of the program.

Run the Vulnserver software with administrator:

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FXhCJS1VIVYjBG0VbFRN7%2Fimage.png?alt=media&#x26;token=7660cbf6-0ed1-4bb6-8087-b3603cf8ff60" alt=""><figcaption></figcaption></figure>

Run the Immunity Debug software with administrator. Go to **File** and select **Attach** and select **Vulnserver.**

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FjJEWPJNrgY5QdKhekb1Q%2Fimage.png?alt=media&#x26;token=f5280dac-3a79-4106-81a3-a6718fb31800" alt=""><figcaption></figcaption></figure>

We can check the status at the bottom right corner <mark style="color:red;">**"Paused"**</mark>

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FyAvdWMDQccmKUC3mt2gG%2Fimage.png?alt=media&#x26;token=7e6bdd11-09db-4122-8839-d6b730a8ee3e" alt=""><figcaption></figcaption></figure>

By clicking button **Run** or **F9** and we can check status <mark style="color:green;">**"Running"**</mark> at the bottom right corner.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FtwuVuuLBz1rUaJ2nevMM%2Fimage.png?alt=media&#x26;token=080b1080-4048-49df-86ac-7b458d197595" alt=""><figcaption></figcaption></figure>

From Kali machine, use **NetCat** tool connect to the vulnserver:

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FEGWczfo7Y6rNHfOTgzQD%2Fimage.png?alt=media&#x26;token=479f6373-960a-4f33-adb6-4fe3ca6cfc5e" alt=""><figcaption></figcaption></figure>

To perform spike, we can use tool "**generic\_send\_tcp**"

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FzpLB2Wwe7Z8e8M3tC3tV%2Fimage.png?alt=media&#x26;token=07c02b2a-dfc3-4ff2-bcd5-7e0f3d5174eb" alt=""><figcaption></figcaption></figure>

For **spike\_script**: we send randomly variable to try to break the part of the program **"STATS"**.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2Fi9Ir4nNYvYf2mSSTifYd%2Fimage.png?alt=media&#x26;token=0644778e-503f-4c31-826c-268c579201d9" alt=""><figcaption></figcaption></figure>

We start to send out randomly variable to test whether that part of the program vulnerable or not and nothing happened and it doesn't look like vulnerable.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2F9nygyE7bWK7rrjHdhH0p%2Fimage.png?alt=media&#x26;token=895cb39b-046b-4b78-844e-670bc25e4dfb" alt=""><figcaption></figcaption></figure>

Again, we send randomly variable to try to break the part of the program **"TRUN"**.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2Fe8LUwbFHDXYjzOZmMHfH%2Fimage.png?alt=media&#x26;token=07dbb740-3ad0-4f19-aa67-ea699e297a55" alt=""><figcaption></figcaption></figure>

We found out that, after send out randomly to the TRUN part, immediately the immunity debug start blinking. We can check the status and found <mark style="color:red;">**"Paused**</mark>**"** and **Access violation**.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FnCcykDXXWLWD71am6PYk%2Fimage.png?alt=media&#x26;token=64d8373d-7dd9-431b-84ef-1db2b3609ade" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2Ff0a4HyYwS3NFl59ENXSJ%2Fimage.png?alt=media&#x26;token=c7cdf51f-78a1-4600-8563-31edb2532322" alt=""><figcaption></figcaption></figure>

Also noticed that the vulnserver already **crashed**.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FtwKFIUJOYWHuQWkXUuoL%2Fimage.png?alt=media&#x26;token=b09a2a43-e9ba-42d3-a43d-1cdc1bca0394" alt=""><figcaption></figcaption></figure>

On Immunity Debugger, we found that the buffer space was filled out by letter **"A"** and actually it was filled over. Noticed that we have filled over **ESP (Extended Stack Pointer)**, **EBP (Extended Based Pointer)**, and **EIP (Extended Instruction Pointer) / Return address**.

The EIP is the important. The fact, if we can control this **EIP**, we can point this to malicious.

<figure><img src="https://1535793005-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqDX4NWkPelZggTpGCfyF%2Fuploads%2FvzeKzUg6Of0hyLHFzIIh%2Fimage.png?alt=media&#x26;token=2b913c6c-a7b9-4048-815f-56743c21c499" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vulnableone.gitbook.io/vulnableone/course-review/cyber-security-courses-journey/oscp-journey/ctf/buffer-overflow/bof-tcm/1-spiking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.