Lab 1 - X-Forwarded-For Bypass:
  Add header: X-Forwarded-For: <rotating-ip>
  Rotate the IP for each attempt. PIN: 7734
  Flag: flag{rate_limit_xff_bypass}

Lab 2 - Username Variation Bypass:
  Cycle through: admin, Admin, ADMIN, "admin " (space), "admin\x00" (null byte)
  Each counts as a different rate limit bucket. Password: supersecret99
  Flag: flag{rate_limit_username_variation_bypass}

Lab 3 - Timing-based Enumeration:
  Valid users respond in ~300ms, invalid in ~50ms.
  Use Burp Intruder with a wordlist and sort by response time.
  Valid usernames: admin, alice, bob, charlie, diana
  Submit: admin
  Flag: flag{rate_limit_timing_enumeration}