[Academy] Broken Authentication - Weak Bruteforce Protection

hi guys.
i have a question about /question2 in weak bruteforce protection.
i used x-forward-for in header using curl, burpsuite, wfuz and many more tools.
but i can’t find the flag.
pls help me
how can i get the flag?

try local address

127.0.0.1??

yep , with x-forward-for

it works :+1:
tnx