I won't go into details of CBC bit-flipping attack here, as others have described. I solved the challenge slightly different - I embedded a valid token in the handle, aligned it with spaces so it fit in a block, then sent just this block. I needed to correct for apostrophes (with bit flipping) because they can't be encoded as they are in JSON, but that was it. So the payload looked like this:

```
handle = bytearray(' '*no_of_required_spaces + "{ admin : true}" + ' '*some_other_numer_of_spaces)
token = split_into_blocks(get_token(handle), 16)
iv = token[3] # token[0] is original iv, token[1] is the part {"admin":false, "handle": something
forged_token = token[4]
iv[1] ^= ord(' ') ^ ord('"') #position of first space
iv[7] ^= ord(' ') ^ ord('"') #position of the second space
set_cookie(iv + forged_token)
```
This gave the flag.