[Academy] Broken Authentication - Weak Bruteforce Protection

hi guys.
i have a question about /question2 in weak bruteforce protection.
i used x-forward-for in header using curl, burpsuite, wfuz and many more tools.
but i can’t find the flag.
pls help me
how can i get the flag?

try local address


yep , with x-forward-for

1 Like

it works :+1:

I am using the defualt password csv file but no luck. Any hints to which pw list to use?


Nevermind. Yet again one of those “don’t overthink it” and you go DOOOOUGGGH.

Ended up using burp and got it.