We set up a service to check if you've found the correct flag for this challenge. It'd take 1.7*10^147 years to brute force, so don't bother trying it.
The Python script we are given takes guesses and tells us whether we are right or wrong (comparing expected/actual character-by-character), but it delays for a quarter of a second on every character that is correct. Hence, we can mount a timing attack. For any prefix, we can find the next character by trying the known prefix plus a candidate and measuring the response time. The correct next character is the one with the highest response time. Repeat until the whole flag is obtained.