A very common trick in phishing, and one that is also useful in trying to break URL parsers, and WAFs is to replace characters with their unicode alikes. For example, a regular "/" (0x2F) can be replaced with unicode "∕" (0x2215) resulting in a normal looking link that will actually be treated as one long string instead of a URL path.

Combine this with a host authentication URL using @. You get a [email protected] that will be treated as a normal http request.

Orange Tsai 🍊 research on SSRF is a good resource to learn more about this (Link)

Note the generated link is not (https) because of the way SSL certs are given to specific domain names. CAs don't give wildcard certs for multi-level subdomains unless you specify the domain levels. Anyway, someone targeting a file name (a version for example) can always generate a free cert for it. For this demo's sake it's http only. However, for one-level subdomains https will work just fine.

wget can take multiple urls to fetch from separated by spaces. wget [option]... [ URL ]...

If the first URL returns a 404, nothing will be fetched and it will continue on to the next one. The -qO filename.zip part can be omitted as it just there to help keep things cleaner. So by passing the target link without a filename it is expected to get a 404 for the first URL. While having the second URL be a link named similar to the actual filename.