This challenge requires us to get shell access to the server.

Based on our enumeration using Ridgebot, one of the vulnerabilities of the server is Shellshock Remote Code Execution (CVE-2014-6271).

Description: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.'

I use ngrok since I don't have any VPS to create a tunnel to my kali machine.

I replace the payload with one-liner reverse shell

I prepare my netcat listener, then I hit enter then I got a reverse shell connection

Inside the server, I found the image which contains the flag

Flag: RC15{sXpbTeFkvtXALSTpT2Fd866774kA5kzp}