I have an idea for a new challenge on your website, in the playground section…
It’s a simple file uploader (Picture host website) and we have to bypass the extension restriction by adding a nullbyte OR an other extension like the case of file upload double extension.
You can see that on this if you want : https://resources.infosecinstitute.com/topic/null-byte-injection-php/
or this for double extension : https://book.hacktricks.xyz/pentesting-web/file-upload
Bxsic - github.com/bxsic-fr