I just played the "Capture the flag" game as part of the SANS Security 504 class. Finding the solution was a lot of fun, and I did not think I would enjoy it as much as I did. The question remains: how close is capture the flag to real (white hat) penetration testing? This particular exercise was not that hard to solve, and I find it hard to believe that the "real world" has as many coincidences as the Virtual Lab does.