It's pretty much spelled out, no? If you set up a server and don't limit the hostnames, then we use the hostname you (attacker) use to access the server.. simple hosts file update will do that for you. Still need to know the username of a user in the system, but that's not always very difficult 😅