you can download it here: http://www.five86.com/downloads/DC-5.zip
use nmap to discover the target
check port 80, and stucked for very long time.
notice that there is only one dynamic page with /thankyou.php?firstname=asdf&lastname=asdf&country=australia&subject=asdfasdf, tried sqli but failed.
finally find the hint from the author: http://www.five86.com/dc-5-clue.html
seems like there is a local file inclusion in thankyou.php
so I can visit / (asdfasdf is the php eval function, windows defender is killing it, so…), and this entry will be written down to nginx access log, then include the nginx access log, lead to lfi
get a reverse shell:
now I have a low privilege shell, need to escalate privilege to root.
stucked here for some time, tried several exploits but not working, decided to see what can I do with suid file
noticed that screen-4.5.0 can be used to escalate privilege, exploit available here: https://www.exploit-db.com/raw/41154