*.testlab.local DNS records are now being spoofed to our attacker machine. From here, we can abuse the WPAD dns request as seen above. We can host a custom wpad file which the victim workstation will then request over HTTPS, when this request is made, it will also submit the NTLM hash of the associated computer account. From here, we can relay the NTLM hash to the Domain Controller and abuse existing permissions which the computer account has. By default, any Active Directory account has privileges to create up to 10 computer objects on the domain, User Objects & Computer Objects have this permission. Once we've relayed the NTLM hash to the domain controller, we can add a new computer to the domain, and also edit our own object. The attribute which we will modify is the "msDS-AllowedToActOnBehalfOfOtherIdentity", this attribute controls who can authenticate to the computer by any account via impersonation - this is resource-based constrained delegation and it is possible to maliciously craft the scenario above from 0 privileges within an enterprise environment.