Designing a Capture The Flag target and game management system

As mentioned by this.josh, you can look at multiple already existing vulnerable applications in this question or you might try to find existing CTF source codes - for example, look at the OWASP hackademic challenges. You might just take one of these and modify them slightly for your students. Also, try to contact authors of past CTF's - they might help you by giving their source codes. Here's a handy calendar of various CTF challenges with appropriate links.


I once stumbled upon a OS VM machine which is called Metasploitable, it is made by the creators of Metasploit and is used as a target machine for practicing.

It is, and this is a quote from the page:

Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are >included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, >twiki, and an older mysql.

If you go through some exploits yourself, you can assign these tasks to your students and give them some guidelines.

Here is the link:

Metasploitable

And a link for the metasploit framework

Metasploit

And last but not least, Backtrack 5, if you havnt already introduced your students to this OS and compilation of pentest software:

Backtrack


Instead of creating a new demo system with intentional vulnerabilities from scratch, take a look first at the existing ones:

Google's Gruyere codelab, "Web Application Exploits and Defenses" http://google-gruyere.appspot.com/

OWASP's WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project