Rating:
tl;dr
* SSRF using file_get_contents() and CRLF in ini_set()* basic Header quirks to bypass waf* sqli using column trick in SQLite to get the flag
I don't remember
