If you're looking at using Debian for a vulnerable VM, you'll likely need an ISO image.
This presents a bit of a problem, as Debian no longer have all their older ISOs available for download, as "there is not enough space on our servers to host them".
Instead, Debian have started using something called "jigdo", which you can read about here.
The short version is that using jigdo, you can download the individual files that are on the CD or DVD and create your own ISO.
I've yet to use this process, so unfortunately I can't offer any advice or information in relation to it.
If you're lucky, you can still find some ISOs available for download from here, but it is hit and miss.
Just a word of warning on the jigdo versions.
It might be possible that the versions include patched or later versions of vulnerable software.