In this challenge I used BurpSuite to intercept and modify HTTP requests
I deleted the line that mentioned an otp which bypasses MFA and got me the flag