penetration test – RCE on a server running nodejs

I’ve analyzed an app where I’ve found different vulnerability.
I could upload/overwrite, delete and download anything. All critical vulns, but I didn’t know how I could get rce without making damages. I thought that I could replace the entire script responsible for the server, but I don’t think that my client would have enjoyed this, so I just reported the vuln without trying to get rce.
Do you have any idea? or some know technique?