For a while now I've been maintaining a VM I with several vulnerable web apps already deployed:
- Mutillidae (nowasp)
- Google Gruyere
- Web for Pentester I (from pentesterlab.com)
The VM has Burp Suite free, chromium with a few extensions (including a proxy switcher) and sqlmap. There are a few suggested exercises in a text file on the desktop.
root // password tux // password