Summary: Document findings using notes for general observations and loot for structured data like credentials or flags.

Documenting Findings: Notes & Loot

A crucial part of any engagement is documenting your findings. pwnity provides two mechanisms for this, both of which are stored in the currently loaded report.

Notes: General Observations

Notes are for general-purpose, timestamped observations. They are perfect for keeping a running log of your thoughts, actions, and discoveries.

Commands:

• note add <text...>: Adds a new note.
• note list: Displays all notes for the current target.
• note delete <index>: Deletes a note by its number from the list.

Example:

report load my-project-report
note add "Found a potential XSS vulnerability on the login page."
note add "The server seems to be running an outdated version of Apache."

Loot: Structured Findings

Loot is for structured, high-value findings like credentials, API keys, or flags. Each loot item has a type and a value. The available types are defined as a comma-separated list in the LOOT_TYPES key under the [GLOBAL] section of your etc/config.json file. This allows for consistent and easy data entry with autocompletion.

Commands:

• loot add <type> <value...>: Adds a new loot item using one of the predefined types.
• loot list: Displays all loot for the current target.
• loot delete <index>: Deletes a loot item by its number from the list.

Example:

report load my-project-report
loot add credential admin:password123
loot add key A_VERY_SECRET_API_KEY_XYZ
loot add flag THM{y0u_f0und_m3}

By storing notes and loot in a report, all your findings for an engagement are kept organized in one place.