More or less the same way we did? Reading about vulnerabilities, reviewing metasploit modules, fuzzing applications on your local box, reading hack post-mortems (all of which is SOOO much easier than it used to be).
They will also have the huge leg-up of being able to download vm images like Kali and DamnVulnerable{Linux, WebApp} to practice with/on. When I think about how much time I spent early in my career hand-rolling a vulnerable machine so I could try out some new msf module, only to crash my laptop when it executed and have to start over...
This myth that everyone learned by hacking actual websites etc, and therefore this is the only (or even the best) way to learn needs to die in fire. Lots of elite practitioners learned their craft without doing anything that would be considered remotely illegal.
They will also have the huge leg-up of being able to download vm images like Kali and DamnVulnerable{Linux, WebApp} to practice with/on. When I think about how much time I spent early in my career hand-rolling a vulnerable machine so I could try out some new msf module, only to crash my laptop when it executed and have to start over...
This myth that everyone learned by hacking actual websites etc, and therefore this is the only (or even the best) way to learn needs to die in fire. Lots of elite practitioners learned their craft without doing anything that would be considered remotely illegal.