Vulnerability analysis
The vulnerability is an OS command injection on the POST parameter "domain" of the index.php script. Such a script unsafely concatenates the dig command (with the "+short" option) with the user-provided input. We can test the vulnerability (with Burp Repeater) by sending the HTTP body "domain=nonexistentdomain" and "target=nonexistentdomain;echo 1.2.3.4" and observe that the responses are respectively "dig produced error" and "1".

Exploitation
In order to steal the flag, we have to inject a shell command in such a way that the first number of the IP address contains the flag that we want to steal. A possible way to do that is to inject a "cat" command followed by an "echo" command in the following way:

(with Browser:)
nonexistentdomain;cat flag;echo .2.3.4

(or with Burp Intruder:)
target=nonexistentdomain;cat+flag;echo+.2.3.4

Remediation
It is always better to avoid invoking shell commands from server code, because the shell is too complex to be used without possible security problems. In place of launching shell commands, we can implement a functionality similar to dig by means of the PHP function dns_get_record(). If this reveals to be too complex and thus a shell command must be used, at least we have to sanitize the shell argument with escapeshellarg() and whitelist-based filters.