The local 2600 chapter where I live is planning on doing a Hacker Capture The Flag event (sometime in the future, could be months away), which all of the vulnerable boxes will be run from virtual machines. I think we're going to be setting these up ourselves, and I don't see any reason why would couldn't distribute those images after they're tested. Of course, we probably wouldn't divulge what any of the vulnerabilities are, you have to find that on your own.
However, at this point, it becomes exactly like the De-ICE images, etc., so I'm not really sure that's what you're looking for.
On a side note, I feel that this is a bit harsh:
Chadk wrote:it only allows you to try out concepts, not apply them in a real-life situation that gives you any experience you can use anywhere else.
These tools DO provide real-life situations. Some of them are a little outdated, but the idea is to first fix the outdated ones, then go on to the harder ones. For example, if DVWA has a SQL Injection vuln., fix it and go on to the next thing. You can really play both sides of these images, finding the vulnerabilities, and hardening the OS.
The other thing you can do it setup your own VM to break into. Set it up running a webserver, or other services, and have someone else change all the passwords for you. Or have a friend setup the VM for you entirely. If you don't know anybody that could help you with this, look for a local 2600 chapter, or Linux Users Group.
Also, if you are doing any kind of security related work for a company, you may be able to take an image of their webserver and test it in a virtual environment. This would allow you to scan for vulnerabilities, without worry of breaking it, because it won't be in production. This also gives you the ability to break it over and over again, using a duplicate of the original image every time you want to start from scratch.
Hope this helps, keep us posted on your findings. There are a lot of us here that would also like to do what you're wanting to do.