I think the good folk @ Heorot would be able to get you going on a framework. But I'll chime in on how I would set it up on a different scale/methodologyDivide and Conquer
3 Windows guests (2003, XP, 2007)
3 Nix guests (CentOS, FreeBSD, OpenSolaris)
The three Windows hosts would represent a semi real world environment in the sense that many businesses have 2003 Server for servers (duh!/doh!), XP as a typical desktop and some with 07 as a desktop.
The desktops can be used with non-admin accounts whereas the students could study client side attacks to escalate. The servers would run IIS with a "known to be exploitable" CMS system on them.
On the Nix side of things, the harsh reality of going with CentOS is that RHEL is used heavily on corporate environments. If you can get your hands on older versions of RHEL say RHEL9, then you'd be good to go. Same rules apply. Configure a couple of applications that are vulnerable. Say a Linux server running a vulnerable version of Hylafax locally, an exploitable version of Nagios or Cacti. Maybe even Joomla or Wordpress. For the kernel, I'd head over to exploit-db and look up "local escalation" +kernel +Linux and place a vulnerable kernel on. Users would have low privileges and need to work their way up the food chain. Same goes for Solaris.
On the FreeBSD side of things, I'd block all but ONE machine from connecting to it and have FreeBSD doing something (say NFS, etc.) where a machine needed to connect to the FreeBSD machine. The only way in would be to compromise either a Linux or Windows box and work your way in to a non-privileged account on FreeBSD and work your way up as well.
This is the compromise phase right... Twist... I'd have them document what steps and procedures as well as tools they used and pair them up... Once someone passes their goals. They'd now have to mop up the vulnerabilities, defend the box and either swap off with another student to see if they've locked down the box good enough or if they've failed and not understood the attacks.Analogy
If you've ever watched a cooking show, you'd see that chefs are mess makers. Sure they cook great meals, but the goal of a chef is to create a tasty masterpiece. He doesn't care to clean up his mess. After all that's what he has assistants for.
On the flip side of this, rarely does one become a chef without going through the assistant phase of mopping the floor, gathering all the ingredients, etc., it's a learning process.My distorted thought process
By making them not only compromise but yet lock down the machines, they'd need to familiarize themselves with "events" and "logging." I'd have them watch in parallel events in Windows and logs in Nix. This will allow them to understand what is going on when they attack. It can enable to see what a vigilant admin/engineer would see as an attacker was trying to work their way in. In doing so, they learn what to look for as well as gain an understanding of how to try to be more covert in their actions. At the same time they learn "the art of the compromise", they'd learn a little about incident response and forensics (to a minute degree).
After all is said and done, they should be able to effectively get an account, document and explain HOW they got the account. Document and explain what they tried (if they did) to make themselves more covert. Document and explain steps THEY would take to defend the castle.
However, this approach is sort of like I guess the OSCP on steroids maybe. Think about it. Compromise + Defend are like oil and water. Likely to overwhelm your students.Extra points
Compromise a machine with NO DOWNLOADED TOOLS. Use whatever you make available to them on a separate clean Nix machine. No NMAP, no use of metasploit, no automated Wikto/Nikto/etc scanner. Just hardcore terminal action