This blog post explains three ways to exploit Log4j 2.17.2 from [Google CTF 2022](https://capturetheflag.withgoogle.com/):

- Level 1: Trigger an exception in Log4j that contains the flag
- Level 2: Guessing the flag with the help of RegEx conversion patterns
- Bonus: Guessing the flag with a time-based side channel using [ReDoS](https://en.wikipedia.org/wiki/ReDoS)

The bonus was not necessary to solve the challenge but fun to code ;)

[Full writeup](http://sigflag.at/blog/2022/writeup-googlectf2022-log4j/)

Original writeup (http://sigflag.at/blog/2022/writeup-googlectf2022-log4j/).