Like everyone else, I started watching walkthrough videos and reading blog posts in the beginning to familiarize myself with methodologies while taking detailed notes and follow along with them with my Kali Linux machine.
Besides working on lab machines, I've learned some core penetration testing methodologies. Below is not the complete list but the summary of the learning progress.
Port scanning with Nmap
Directory busting with gobuster/dirsearch
HTTP enumeration with Nikto and CMS scanning tools such as WPscan
SMB enumeration
Active Directory enumeration and attacks using popular tools like mimikatz and powerview, obtaining domain controller's kerberos tickets and cracking them offline to access it.
Cracking passwords with patator/john
Creating malicious executables with msfvenom
PHP command injection
Exploitation with Powersploit
SQL injection (Union attacks, login bypass)
LFI/RFI
Using Burpsuite to observe network traffics and brute force logins
Privilege Escalation techniques such as spawning a tty shell/utilizing GTFO bins to get root shells/cross compiling exploits/modifying and exploiting cron jobs)
Various Antivirus evasion techniques
Finding public exploits for vulnerable services, modifying them if needed to exploit machines
Buffer Overflow exploitation
Transferring files between Kali and the Target using different techniques
Check out the CTF boxes I've completed so far here
While getting ready for OSCP, I discovered that I was interested in the particular filed. Here's some of the resourced I've used to educate myself on the topic.
PortSwigger's Academy
SQL injection (login bypass, UNION attack for different database types)
XSS(Reflected, Stored, DOM)
CSRF
The WAHH
I'm in the middle of going through The Web Application Hacker's Handbook while I go through PortSwigger's web academy.
Bugcrowd University
Bugcrowd has youtube videos on some basic Web App pentesting methods.
Some topics covered were Burp Suite, Broken Access Control Testing, XSS, How to make a good bug submission.
Udemy Courses Completed
I understand taking courses is not the same as having experience, but I do believe you have to start from somewhere.