Command injection with filter bypass, call curl on /get_flag to retrieve the flag.

Full walkthrough: https://www.youtube.com/watch?v=3GGpyEkt8GE&t=30s