Vulnerability analysis
The vulnerability is a blind OS command injection on the POST parameter "target" of the measurehops.php script. Such a script unsafely invokes the traceroute command with the user-provided input, then it counts the number of outputted lines and decreases such a number by 1. For the way traceroute output is formatted, this corresponds to counting the number of hops. We can test the vulnerability (with Burp Repeater) by sending the HTTP body "target=localhost" and "target=localhost;echo" and observe that the responses are 1 hop for the first request and 2 hops for the second one. We can also put other \n's in the injected echo command (echo "\n", echo "\n\n", etc.), and observe that the number of hops increases for each \n.

Exploitation
In order to steal the flag, we have to inject shell commands in such a way the number N of outputted lines depends on the ASCII code of the flag's first character, which will be N-1. Then we do the same with the flag's second character, and so on. A possible way to do that is to inject a "seq" command with an argument equal to the ASCII code of the flag's first character. We use "cut" to isolate the flag's first character and "printf" to convert it into digits:

(with Browser:)
localhost;seq $(printf '%d' "'$(cut -b 1 flag)")

(or with Burp Intruder:)
target=localhost;seq+$(printf+'%25d'+"'$(cut+-b+1+flag)")

The result will be N hops, which means that the flag's first character has ASCII code N-1. Repeat the attack by incresing the -b option of the cut command.

Remediation
It is always better to avoid invoking shell commands from server code, because the shell is too complex to be used without possible security problems. In place of launching shell commands, we can implement a functionality similar to traceroute by means of PHP socket functions. If this reveals to be too complex and thus a shell command must be used, at least we have to sanitize the shell argument with escapeshellarg() and whitelist-based filters.