This writeup won't be detailed since I am really tight on time. It was a black box challenge, you can Download from here

You have a none-alg vulnerability in the JWT token, you can forge the same token with 'admin' role

The description mentioned that all admins don't have the same permission, so there is a specific admin username you need to use in the token

There is a blind sqli in login (username input), after the extraction username was 'mrs.somaya'. Forge the token with that username and admin role to get the flag

Another creative approach was by injecting in the JWT token itself, in username

In source code I was using the same vulnerable function "getUser(username)" in both the login and user's role check in the dashboard

Here it was simpler just a simple 1=1 payload will do the trick