For pentesting training I mostly use virtual machines that have been created with multiple vulnerabilities to train exploiting techniques.
Those machines mostly include several vulnerabilities, so that penetrating a system through multiple exploitation techniques becomes a challenge to be solved.
However sometimes a "smaller" approach is necessary:
- if the goal is to see a specific vulnerability in action or
- to see if a certain defense mechanism indeed does protect from an exploit
This is why I came with the idea of using Docker (which I wanted to learn about anyway) to publish systems that contain only a single exploitable vector.
I named this "Vulnerability as a Service" and created my first Docker container with a shellshock exploitable web application.