OWASP supports two hackable-website packages, WebGoat and Mutillidae.
“WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.” – https://github.com/WebGoat/WebGoat
Like Mitillidae and DVWA, WebGoat is simply downloaded (in this case from Github) and placed into your web root or a subfolder. From there just steer your browser to your local webserver (eg. http://127.0.0.1) and start hacking!