In addition to shadow's response, an easy server to put out with a minimum of fuss is to get the XAMP suite from apachedfriends.org.

What I did when first starting was to just drop it on my VM, start it up and start hitting it.  Then I started to apply hardening measures until the easy stuff wouldn't work.  After that you can search for new vulnerabilities and get creative.

regards

CT

One thing I've noticed here is that the providers always put up very generous prizes.  Thanks to all who give their products and expertise to help the community!

I'm  going to have to jump on board with Ziggy on this one.  When you're putting together a security plan, one of the first things you do is determine how critical what you're protecting is, and the risk/reward involved in protecting it.

If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.

I use metasploit and Rapid7's online guides for a good deal of my penetration testing.  I'm one of those learn by doing weirdos.  It's a great platform for not only working, but learning as well.  If you're a command line nerd like me, the tool shows you some advanced functions available from other tools.  Since I've started, I've learned things that NMap can do that I've never tried.

I frequent Rapid7's website and register for their webcasts whenever I can.  They always have good discussion and follow it up with some practical examples using their tools.

Also, please don't overlook the social engineering/physical security aspect.  You'll need good information to provide a direction and avenues of attack once you've identified a target.  All the tool proficiency in the world is useless if you can't gain access (physical or network) to the system.

Good luck in your endeavors.