Creating a vulnerable machine

Hello,
I’m trying to creating my own vulnerable machine. It’s my first time so would appreciate any help.
Machine’s OS: Any Linux (Probably will use Ubuntu or centOS)
Services with vulnerabilities: SSH, webservices and maybe FTP
At the moment I’m reading CTF walk-throughs, CWE and OWASP databases to get inspiration and a moderate understanding of what I need to do.
I know that I can just download some vulnerable services and install them on the VM but atm I’m trying to gather as much information beforehand.

The scenario for the vulnerable machine is half baked (if anyone wants to hear it I’ll leave it in the comments) and it will have some rules of engagement required for a penetration testing engagement. At the end the machine will have a documentation; about critical pathways, rational for proposed vulnerabilities, a network diagram draft will be made for the network architecture.

Like I said, it’s my first time doing a thing like this but I believe it will help me gain a better understanding on pen-testing as a whole.

Thank you.

With the caveat that I’ve never done this.

I would suggest starting off with a plan on what you want the “attack” to be. Build a machine. Secure it as much as possible (selinux etc) and then open up the areas you want to be vulnerable to meet your scenario.

If you want it to be more of a pentest practice, then you could build a machine and configure it to a specific standard (NIST, CSC etc). Then when people attack it, there may or may not be a path in.

Thank you as always @TazWake ? My planning skills were always mediocre and I figure things along the way but the plan is still a working progress (I’ll maybe share it here later).

The machine is somewhat a pentest practice, it doesn’t have specific requirements, everything is left for the imagination.The end goal would be to acquire a flag, it would be best to acquire using horizontal and vertical privilege escalation.I want to have 3 exploitable pathways but don’t want to make the machine clunky and messy.

Thinking about using these service for a buffer overflow vulnerability: Sync Breeze Enterprise 8.9.24 - 'Login' Remote Buffer Overflow - Windows remote Exploit
And combine it with an SSH vulnerability.
Anyways, one step at a time. Like you said, I think it would be best to secure the machine and open up areas that I want to be vulnerable.

P.S
Scenario.
Company A got into a hefty argument with their current system administrator which led to him being fired. He was know for not leaving old grudges behind so Company A decided to hire pen-testing services from Company B to find out if there are any potential vulnerabilities on the system that could lead the company’s A data being compromised.
The pen-tester has no internal knowledge of the target system and is placed as an average hacker. (Still thinking about limitations and rules for the pen-tester but I think I’ll leave it vanilla).