This challenge requires us to get shell access to the server.
Based on our enumeration using Ridgebot, one of the vulnerabilities of the server is Shellshock Remote Code Execution (CVE-2014-6271).
Description: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka 'ShellShock.'
I use ngrok since I don't have any VPS to create a tunnel to my kali machine.
I replace the payload with one-liner reverse shell
I prepare my netcat listener, then I hit enter then I got a reverse shell connection
Inside the server, I found the image which contains the flag