Expose a vulnerable linux VM to the raw internet. Wait for it to get infected. Find the process thats connected to the cnc server using lsof. use gcore to dump its memory to a file. cat that into strings and look for the irc channel and server. Or just watch it all in wireshark but thats kinda boring. Have fun and stay safe.