For a while now I've been maintaining a VM I with several vulnerable web apps already deployed:
- Mutillidae (nowasp)
- Web for Pentester I (from pentesterlab.com)
- Google Gruyere
- OWASP Juice Shop
The VM has Burp Suite free, chromium with a few extensions (including a proxy switcher) and sqlmap. The browser home page contains links to some exercises and walkthroughs.
root // password
tux // password