-{ Quote: "The first image is the target, a complete Linux installation with PHP, MySQL and Apache installed. The target is set up to simulate a multi-user machine so there are numerous accounts on the machine representing users. Users have files in their home directories and email as well. Every effort was made to simulate a real, production machine.
The second image is the attack, or testing, platform. This is a CentOS Linux based virtual machine which has many of the testing tools pre-installed and configured for use with the exercise. It is not necessary to use this image if you already have access to the tools on your own machine. The documentation outlines all the tools used for the exercise.
The exercise also consists of thorough documentation, attached to this article. The documentation is distributed in PDF format and will guide users step by step through the exercise. The documentation outlines one of the many paths an attacker could pursue to gain root access to the target machine. The documentation also outlines the tools used in the exercise, why they work, and how they could be defended against. It is not necessary to utilize the attack image if you can install the tools described in the documentation on your own host operating system.
" }-
http://lampsecurity.org/capture-the-flag-4

Why would a web server be a multi-user machine? It should be isolated and running only the bare minimum.
Mrk

Because it probably wouldn't be any fun penetrating something with the bare minimum.

It's designed to be a teaching tool, which contains a gamut of areas to exploit in one package.

Yes. I started a sentence with "Because".