If this is based on a popular distro, maybe; but if you wanted to loosen up a Linux box, you can build a freak from pieces that no one would find lineage for, much less a repo.
Why sit around replacing packages by hand when you're not really learning anything? The best fix for a system like this is to nuke it from orbit and reinstall. I mean, odds are, you'll miss something, and then spent hours fooling around after getting hacked, when you could have just spent your time concentrating on what's important: saving relevant data and configuration, reinstalling, and securing the updated configuration.
The important point, which I did miss, is that it's not just a "security course", it's a course about how to break into things, so you need vulnerable programs. If you're not specializing in security stuff, the best course of action, is, however, to just keep your stuff up to date via apt or some similar mechanism.
But in order to properly understand what you could be vulnerable to and the why/how, you should learn how to break into things. Yes, normally, you're working at a higher level of abstraction, but if you want to understand how things really work, you work at a lower level for a while.
Riiight, downloading individual packages, libraries and kernels and building them from source. Which is why I thought it would be a good exercise, however very boring.
Running a Bastille script on the box would give you a quick TODO list. Pushing it to "production" and getting a few servers up and running, across version incompatibilities, would prove a bit more interesting. Running it under an older 2.4.x or 2.2.x kernel, doubly so.
