Hello,
I'm happy to announce that the second installment (cryptically called
CTF5) of LAMPSecurity.org's capture the flag series of exercises is now
available. This edition is novel in that it includes a 0-day exploit
that can be used (indirectly) to gain root. This is a training exercise
released in support of the educational mission of LAMPSecurity.org. The
exercise is modeled after many of the exercises that are presented in
expensive commercial training courses, except it's free, of course.
Unlike tools like OWASP's WebGoat, LAMPSecurity.org's capture the flag
exercise consists of a full, vulnerable, virtual machine (VMWare's free
Player is required). This allows users to explore vulnerabilities at
every level of the LAMP stack. The first exercise includes an "attack"
VM as well, with tools pre-installed (where possible). It also includes
over 60 pages of step-by-step documentation so no prior experience is
necessary (although the documentation only outlines one of several
routes to root compromise). The exercise is designed to educate system
administrators and developers on some common dangers and
mis-configurations facing Linux,Apache,MySQL, PHP (LAMP) applications.
Further details, including the documentation, are available at
http://lampsecurity.org/capture-the-flag-5. The vulnerable virtual
machine and attack image are available from SourceForge at
https://sourceforge.net/projects/lampsecurity/. Constructive feedback is
of course welcome. Thank you and enjoy.
- --
Justin C. Klein Keane
http://www.MadIrish.net
http://www.LAMPSecurity.org