Web is usually the entry point at security in general.
Here I'll be mainly covering some tools that can help you when you do things related to web pentesting.
In the future I plan to write a guide on what you should usually do in each situation, but remember that's not a rule.
nmap - Nmap is an utility for network discovery and security auditing
WPScan - A black box WordPress vulnerability scanner.
PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF.
PHP Web Shells - Common PHP shells.
LinuxPrivChecker - Script made to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.
LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks