Looks like linpeas.sh is no more after that code extracting user data was spotted.

ADCS Exploitation Series — Part 2: Certificate Mapping + ESC15 Certificate mapping is the process at the heart of multiple ADCS vulnerabilities, so I thought it would be appropriate to dedicate it its…

Great article on ESC15 especially after you realise PKInit won't work to auth but there is a workaround supplied too.

medium.com/@offsecdeer/...