Una ayudita para este desafio?

Hola, muchachos.
El nombre del desafio es SeSSxploit, lo cual parece que es una referencia a session poisoning.
Pero el tema es que no he encontrado como explotarlo..
Posteo el codigo fuente:
Código:
<?php
session_start();

if(!$db = @mysql_connect('localhost', '', '')) {
	die('Connection error');
}
if(!@mysql_select_db('netforce', $db)) {
	die('Can\'t locate database');
}

if(isset($send) && $send == 'reg' && !isset($_SESSION['Data'])) {
	if(isset($username) && isset($password)) {
		$username = htmlspecialchars($username);
		$password = htmlspecialchars($password);
	
		mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
	
		$Data['username'] = $username;
		$Data['password'] = $password;
		
		session_register('Data');
	
		echo 'You are added to our database! Click <a href="index.php"><b>here</b></a> to proceed!<br /><br />';
	}
} else if(isset($submit) && $submit == 'Login' && !isset($_SESSION['Data'])) {
	if(isset($username) && isset($password)) {
		$username = addslashes($username);
		$password = addslashes($password);
		
		$checkinfo = mysql_query("SELECT * FROM challenge_406 WHERE username='$username' AND password='$password'") or die('Error!');
		$Data = mysql_fetch_array($checkinfo);

		if($Data['id'] == '') {
			die('Wrong password!');
		} else {
			session_register('Data');
			header('Location: index.php');
		}
	}
} else if(isset($action) && $action == 'register') {
	
?>
<html>
<head>
<title>Register</title>
</head>
<body>

<h3>Register now!</h3>
<form action="index.php" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="hidden" name="send" value="reg">
<input type="submit" value="Register">
</p>
</form>

</body>
</html>

<?php

} else if(isset($action) && $action == 'logout') {
	session_destroy();
	header('location: index.php');
} else if(isset($_SESSION['Data'])) {
	$sesname = $_SESSION['Data']['username'];
	$sespass = $_SESSION['Data']['password'];
	
	$checkinfo = mysql_query("SELECT id FROM challenge_406 WHERE username='$sesname' AND password='$sespass'") or die('Error!');
	$checkit = mysql_fetch_array($checkinfo);
	
	if($checkit['id'] == '') {
		die('Wrong password!');
	} else {
		if($Data['level'] == '') {
			$Data['level'] = '0';
		}

		echo '<p>Welcome to our protected website!</p>';
		echo '<ul>';
		echo '<li>Username: '.$Data['username'].'</li>';
		echo '<li>Admin Level: '.$Data['level'].'</li>';
		echo '<li><a href="index.php?action=logout">Logout.</a></li>';
		echo '</ul>';
		
		if($Data['level'] == '8') {
			echo 'Well done! The solution is: [...]';
		}
  }
} else {

?>
<html>
<head>
<title>Login</title>
</head>
<body>

<h3>Login!</h3>
<p>
Not yet a member? <a href="index.php?action=register">Register a new account.</a><br />
</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="submit" name="submit" value="Login">
</p>
</form>

</body>
</html>

<?
}
?>
Por favor, no dar soluciones, solo ayudas..
Si el post no esta permitido, por favor borrarlo..

Saludos!