Since the level is down and the obvious category of vulns does not seem to work here, maybe it is possible to inject backend code?
I have tried one or two things but could not get anything working. If anyone has experience with this I wouldn’t mind a discussion, some sources to read or a friendly PM.
EDIT: I tried and read a lot this Weekend - I don’t think there’s any unintended vuln here. But I still learned a lot about PHP so it was worth it.