@munin I'd point them at the OWASP Top 10 and stuff like DVWA, since web stuff is generally the most accessible place to start and webapp tests are still the meat of generalist pentest work.
picoCTF and OverTheWire are beginner friendly CTFs, although I'd warn them that getting too heavily into CTF challenges has a tendency to pigeonhole your thinking, so make sure to look at real bugs in real code too (search for CVEs with write-ups, read them)
@munin most appsec stuff being done at generalist pentest places is gonna be Windows, so for RE skills I'd tell them to start with grabbing dnSpyEx or ILSpy and pulling some .NET programs apart with it, figuring out how they do stuff, modifying them to have different behaviour. single player Unity games are great for this cos you can load up Assembly-CSharp.dll and see ~all the game code. don't worry so much about looking for security bugs specifically, the core RE skills are more important.
@munin I don't have much in the way of advice for the infra side since that's never been my bag.
@munin I threw together a list of 100 keywords to search. should be useful for just learning a bunch of different concepts and tools and such that come up frequently.
covers web, desktop/server apps, infrastructure, cryptography, a bit of cloud, and code review.
https://gist.github.com/gsuberland/dc3656eb0146adfeebef7b02b0d70a0b
