In this challenge I used BurpSuite to intercept and modify HTTP requests

image.png

I deleted the line that mentioned an otp which bypasses MFA and got me the flag