• The Missing Semester of Your CS Education: Great text and video resources about essential tools and techniques such as command line usage, shell scripting basics, git, debugging and more!
• Game Programming Patterns: Excellent breakdown of the most useful programming patterns.

• dockcross: Cross compiling toolchains in Docker images.
• dockbuild: Compiling environments in Docker images.

• Azeria Labs: Detailed ARM assembly tutorials and ref card.

• Hacktricks.
• The Hacker Recipes.
• From the amazing Swissky:
  • PayloadsAllTheThings (Github): general, cross-domain info.
  • InternalAllTheThings (Github): Active Directory and internal pentest.
  • HardwareAllTheThings (Github): hardware / IoT / embedded things.
• Red Team Notes.
• Pentest Book by Six2dez.
• Offsec Tools: large collection of, well, offsec tools.
• Talkback.sh: AI-powered infosec resource aggregator.

• CTFtime: Lists all major CTF events and teams.
• Root-Me: Plenty of challenges from various categories and difficulty levels.
• CryptoHack: Tons of fun and educational challenges.

• Survive The Deep End: PHP Security:

• Frama-C: Static analysis and formal proof for C programs.
• Krakatoa and Jessie: Front-ends to the Why platform for deductive program verification.

• Linux Privilege Escalation via Dynamically Linked Shared Object Library.
• GTFOBins: Common exploitable UNIX binaries and ways to take advantage of them.
• LinEnum: Shell script for Linux enumeration.

• OWASP Mobile Security Testing Guide: Comprehensive guide for both Android and iOS with testing guide, verification standard and checklist.

• AppMon: Automated framework for monitoring and tempering system API calls for macOS, iOS and Android.
• Frida: General purpose toolkit for dynamic instrumentation of binaries.
• Objection: Runtime mobile exploration toolkit based on Frida for both iOS and Android.

• MOBISEC course on Android security: Includes videos, slides and challenges by Yanick Fratantonio.
• Android-Security-Awesome: Collection of Android-related pentest tools.

• iOS Pentesting Tools: Series of 4 blog posts introducing the process of testing iOS applications by Allyson O'Malley.

• Shodan: In-depth search for any internet connected machine.
• Shodan Pentesting Guide by Turgensec.
• Onyphe: Cyber Defense Search Engine.

• Google Hacking Diggity Project: Search engine hacking.
• Google Hacking Database: Collection useful Google dorks from exploit-db.
• SANS Google Dork Cheatsheet (PDF).

• nmap-formatter: convert nmap's output to HTML, CSV, JSON, Markdown, Dot, SQLite, Excel, D2.
• nmap-bootstrap-xsl: apply a stylesheet to nmap's XML output and optionally convert it to HTML.
• awesome-nmap-grep: several grep (and friends) patterns to parse nmap's output.

Guides:

• The Art of Subdomain Enumeration gitbook by Appsecco
• Patrik Hudak's blog: subdomain enumeration and targeted OSINT techniques

Tools:

• OWASP Amass: large attack surface mapping and asset discovery framework
• assetfinder: find subdomains from various open sources
• Sonardb by Omnisint: simply request https://sonar.omnisint.io/subdomains/<tld.com>
• massdns: high performance DNS stub resolver
• Jason Haddix's all.txt DNS wordlist

• JavaScript Engine Fuzzing and Exploitation Reading List by Zon8 Research.

• XSS Cheatsheet by portswigger.net.
• XSS tips and tricks by Hacktricks.

• Lateral Movement Megaprimer.
• Attacking Active Directory (PayloadAllTheThings) by Swisskey.
• Darth Sidious' Gitbook: Lab setup and classic exploitation techniques.
• How to Attack Kerberos 101: blog post by m0chan.
• Credentials Dumping Cheatsheets: Links to various detailed posts about credentials dumping on Windows.
• LOLBAS: Common exploitable Windows binaries.
• AD exploitation cheatsheet by Cas van Cooten: from 2021 but still quite relevant.
• AADInternals.com: The ultimate Entra ID (Azure AD) / Microsoft 365 hacking and admin toolkit.