A phishing/spam email promotes a 'free partnership tool' at start.avail.zone. The invite URL passes a domain through a query parameter — what does the server actually do with it? Investigate the request flow and find an abuse path that could turn this 'invite' into something nastier.
Objetivo: Understand the structure of the invite URL and identify all controllable parameters.
Contexto: You received the following invite link in an unsolicited email:
https://start.avail.zone/build-connections?website=hintru.com
Your goal is to map out the attack surface before touching any payloads.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
Break the URL into its components — scheme, host, path, and query string. Which parts are static and which are attacker-controlled?
The `website` query parameter accepts a domain value supplied entirely by whoever crafted the link. Think about what the server might DO with a domain name it receives.
Try replacing `hintru.com` with a domain you control (e.g. a Burp Collaborator or interactsh URL) and visit the link. Watch for inbound HTTP/DNS callbacks, redirects, or reflected values in the response.
Chatea con un tutor anti-spoiler para este paso. Usa solo la especificación de este lab y empieza por la pista más pequeña que sirva.
Cuéntale qué probaste, dónde te atoraste, o pega la respuesta/error que estás viendo.
¿Te gusta Hintru? Buy me a coffee ☕ ☕