This blog post explains three ways to exploit Log4j 2.17.2 from Google CTF 2022:
- Level 1: Trigger an exception in Log4j that contains the flag
- Level 2: Guessing the flag with the help of RegEx conversion patterns
- Bonus: Guessing the flag with a time-based side channel using ReDoS
The bonus was not necessary to solve the challenge but fun to code ;)