LAMPSecurity Capture the Flag Reviewed

30 November -0001
I recently finished the latest installment of the LAMPSecurity.org Capture the Flag exercise. I've managed to get some feedback from folks and the reception is generally good. One review at the Preach Security Blog actually wanted the exercise to be harder :) The LAMPSecurity capture the flag exercises are an outgrowth of some of the training work that I'm doing at my work to train programmers and sysadmins about some common security vulnerabilities. The exercises are designed to simulate real world systems - they have multiple user accounts and each user has different privileges. Users have e-mail and home directories full of files that realistically simulate actual usage. Each system is built from a full operating system (usually some RPM based Linux distribution such as Fedora or CentOS). The systems are then enabled with various services and applications. This allows "attackers" (i.e. participants) to explore weaknesses in various levels of the application stack, from the underlying operating system all the way up to code level weaknesses (such as input validation flaws). So far the exercises have focused on web application security, but in future I'm hoping to expose more services to misconfiguration and exploitation. Note that there are three exercises so far on SourceForge: capture the flag 4, simple web app, and capture the flag 5. If anyone has any requests please send them my way and I'll try to incorporate them into the next version!