you can download it here: http://www.five86.com/downloads/DC-5.zip

use nmap to discover the target

1

check port 80, and stucked for very long time.

notice that there is only one dynamic page with /thankyou.php?firstname=asdf&lastname=asdf&country=australia&subject=asdfasdf, tried sqli but failed.
finally find the hint from the author: http://www.five86.com/dc-5-clue.html
seems like there is a local file inclusion in thankyou.php

2

3

so I can visit / (asdfasdf is the php eval function, windows defender is killing it, so…), and this entry will be written down to nginx access log, then include the nginx access log, lead to lfi

4

get a reverse shell:

5

now I have a low privilege shell, need to escalate privilege to root.

stucked here for some time, tried several exploits but not working, decided to see what can I do with suid file

6

noticed that screen-4.5.0 can be used to escalate privilege, exploit available here: https://www.exploit-db.com/raw/41154

7