Another item from Austin Osuide, The Coolest Man in the World (tm).
The gist of the attack vector allows a user with local admin privs to recover the password hashes of anyone that has logged into the machine (including admins), and then inject the hashes into an authentication transaction with another machine. The result is an escalation of privelege.
Sobering...
https://blogs.pointbridge.com/Blogs/seaman_derek/Lists/Posts/Post.aspx?ID=20