I recently submitted a HTTP smuggling vuln that allowed me to create unauth websockets (still waiting on that with H1).

Ive since moved onto a new target and decided to try the same bug again and with HOURS of tweaking, I can finally return full smuggled HTTP responses with headers, cookies and a body.

My problem is unlike my previous target, I cant seem to escalate my privileges. So im unsure how to exploit my smuggled request.

All the documentation I can find really only covers HOW to http smuggle (headers, obfuscation, etc) but not a lot of info on how I can gain privileged access or use this vulnerability after it's achieved.

So far, I've tried several internal path info exfiltrations with no luck. Ive tried a myriad of stuff like GET /169.254.169.254 but my problem seems to be the host which will not allow IP, localhost or the like.

So Im thinking maybe my next move is attempting to spoof multi path access chains that are common on this domain but truthfully I have no idea.

Any information is greatly appreciated.

Follow up question: How common is HTTP smuggling? I'd only recently learned of it and was surprised to find it back to back in the wild.