JWT confusion attack followed by Nunjucks SSTI to gain RCE and retrieve the flag.

Full walkthrough: https://www.youtube.com/watch?v=tV7C6HSrtm4