# Step 0: Spiking (Optional) Note that vulnserver has many commands available: ![Commands](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MgCB5Aa48wcrgIyI10W%2F-MgCBCpYsl6hSLk6sD8I%2Fimage.png?alt=media\&token=de769f22-5239-4d69-a03e-5aab053ee7f1) In order to figure out which commands are vulnerable, we use `generic_send_tcp` to "spike" the executable and look for crashes: ```bash generic_send_tcp ``` Suppose we want to spike the TRUN command, then the spike script is: {% code title="trun.spk" %} ``` s_readline(); s_string("TRUN "); s_string_variable("0"); ``` {% endcode %} Run vulnserver by pressing F9 in Immunity Debugger. From our Linux attack machine, spike it: ```bash generic_send_tcp 192.168.1.2 9999 trun.spk 0 0 ``` Immidiately, the executable crashed. We can confirm that the `TRUN` command has BoF vulnerability: ![Crash](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MgCUpZgUKYYu8xVIBqy%2F-MgCYLwA0H2sCIZBeJjN%2Fimage.png?alt=media\&token=1bfeccca-75a8-43a9-9ab5-6c32ace8940c) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/buffer-overflow/step-0-spiking-optional.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.