As of 2019/06 - please messenger us if you have your questions.
Why are users allowed to mark challenge as completed?
Majority CTF-based challenges require you to use certain keywords or patterns in order. This may prevent you from creativities in achieving the ultimate goal of bypass. CTF key challenge is featured wherever possible.

Why don't you feature Injection flaws like SSRF?
You can enjoy such challenges in full fledged online labs like PentesterAcademy and PentesterLab and many damn vulnerable application DISTROs such as DVWA, WebGoat, Web Security Dojo, Mutillidae...etc.