For this challenge, we noticed that the admin token can be accessed at /jrl. However, it is revoked. But the server is vulnerable because it only checks if the jwt is exactly the same as the one given by the user. We changed one character in the admin jwt, and used it at /flag to validate the challenge.