Open source software security

LAMPSecurity Capture the Flag Exercises

8 February 2011
I've been getting a lot of questions over e-mail lately about the LAMPSecurity.org project capture the flag exercises. These exercise are packaged as virtual machines that are vulnerable to root compromise through several series of exploits. The idea is to become familiar with "chained exploits" to compromise a target. Each exercise consists of a virtual machine and a PDF document containing step by step instructions. The exercises can be used for training purposes, as self tutorials, or as part of a penetration testing lab set up. Although the domain LAMPSecurity.org is no longer online (I didn't want to pay the registration fee any more), the projects are all still hosted on SourceForge at http://sourceforge.net/projects/lampsecurity/. If you click on the 'Files' link you can download the packaged files for each virtual machine. Note that you'll need some way to play a VMWare virtual machine (either free VMWare Player or one of their commercial offerings). When you boot up the virtual machine you won't be able to log in. This is done on purpose. The idea is that you boot up the virtual machine but you have to figure out how to gain access. If you absolutely must be able to log in to the virtual target and you don't have time to crack into the server just read through the documentation and you'll find valid credentials there. I am glad so many people have found the exercise useful. Please send me feedback if you have any comments or suggestions.