[…]
supplying an absolute URL :
GET <https://YOUR-LAB-ID.web-security-academy.net/>
and modifying the host header — > not blocked
This suggests that the absolute URL is being validated instead of the Host header.
ping burpcollaborator to verify it’s open bar
scan local IPs in the host header to find 302 to admin console
add /admin/delete to url find csrf token in the page and then
GET <https://YOUR-LAB-ID.web-security-academy.net/admin/delete?csrf=QCT5OmPeAAPnyTKyETt29LszLL7CbPop&username=carlos>