VulnHub provides materials allowing anyone to gain practical hands-on experience with digital security, computer applications and network administration.
How to start:
Download the VMs that you want to start off with and set it up with VMWare or VirtualBox, whichever one you prefer. I would suggest starting with Metasploitable 2, call this your vulnerable machine.
Have another VM setup, preferably running Kali OS, from which you will attack the vulnerable machine, call it your staging machine.
The reason for suggesting Metasploitable 2 is, it contains basic network pentesting and web application pentesting, which will help you learn a lot.
As far as the setting up the virtual machines are concerned, staging machine or vulnerable machine, Google is a reliable source of assistance.
There are walkthroughs available for many vulnerable machines. You can possibly start by going through one of them to gauge how to test the machine, and then venture out on your own with several other vulnerable machines on VulnHub.