Download the OWASP BWA files: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
Create a folder and extract all files there. Probably a good idea to put the folder right next to your other virtual machines, if you have any. This folder shouldn’t move around.
Open VirtualBox and create a new machine named OWASP BWA (or whatever) as Linux/Ubuntu. Set RAM to something appropriate (I’m using 2Gb because I can).
Use existing hard drive, select the files you just extracted.
You might want to fiddle around with various settings, like bridging the network interface etc. It’s not recommended to allow anyone since OWASP BWA contains multiple security holes, though.