I exploit a misconfigured Nginx alias to read the jwt.secret file, then forge an admin JWT token to access the hidden post containing the flag.
I send concurrent requests to exploit a non-atomic post count check, exceeding the 12-post threshold needed to unlock the flag endpoint.
I override the validation server via a debug cookie, serve a future-dated signed timestamp from my own server, and chain the unlocked feature into RCE to read the flag.
