You're initially a guest. An admin dashboard exists — can you become admin by changing your cookie?
Open Developer Tools → Application → Cookies and inspect the auth cookie. Try editing it. Hint: it looks like a JWT (header.payload.signature).
Hint: You are not admin. Try modifying your cookie.
{
"error": "bad token format"
}
This challenge intentionally accepts tokens with "alg":"none". Change the token's header to {"alg":"none"} and set the payload {"role":"admin"}. Then visit /admin.
Flag will appear in the admin dashboard if you are authenticated as admin.