hi guys.
In all of pentest learning videos which i watch they always say check the webserver to find directory browsing addresses u can find it via nikto or the robots.txt file.
I've find some directory browsing addresses in my friend's site during the pentest now what? What can i do with it? I just report it or have we some methods to penetrate with directory browsing?

Totally why directory browsing is important?

Ok man so u mean i must report them to turn the directory service off that set? Nothing more?

Also it doesn't stop at the directory you are currently viewing. Just because the current directory doesn't display anything interesting doesn't mean that $path/../../../../../etc/passwd isnt viewable (have to play with the path's here, can sometimes be loaded by script paths, templates, cookies, hidden form fields, etc.) Check out https://www.owasp.org/index.php/Testing_for_Path_Traversal for more info.

You can also try and find hidden directories and content through brute force using tools such as dirbuster for example:

https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project

To pile on top of what everyone else said, if you find old app files, like login.php.bak, guess what, you can download that file and get the raw PHP code, which may contain sql connection credentials, code level notes like:

/* if a user puts in special characters, they can access resources they shouldn't. will fix soon */

All sorts of goodies... This could give you all sorts of juicy tidbits of info for further attacks.