The server proves that it is the correct server by returning the
challenge data the client sent it in the client hello message.
This message is encrypted using the server write key for this session. Since only the true server knows the private key that matches the public key in the servers certificate only the true server can decode the encrypted part or the master key and only it can correctly encode the challenge data with this key.
Most correctly encrypted messages would prove the server's identity. However many encryption algorithms encrypt some values poorly. For example the basic RSA algorithm encrypts a message of value 1 as itself. It is a simple matter for cooperating peers to avoid these values but an imposter might deliberately choose weak values in an attempt to thwart the authentication. This is avoided by forcing the server to encrypt some data chosen by the client.
At this point the server can request client authentication if required. If requested client authentication is similar to server authentication.