The upload script removes all /<\?|php/. So you can not run php.

You can only upload file whose name is captured by the regexp /^[a-zA-Z0-9]+\.[a-zA-Z0-9]+$/.

Login as admin and retrieve the flag.
The flag is the admin’s password.
You can use test:test.