I bypass dot-blocking by URL-encoding path separators, then use /proc/self/cwd to resolve the working directory and read the flag file directly.
I modify the admin field in the JWT payload to true, re-sign it with an arbitrary key, and access the flag since the server performs no signature verification.
I curl the page to avoid an infinite loop, then run the script in Node.js to resolve the %c format specifier and reveal the actual flag string.
