Checking certificates can give you valuable insight. Like who issued the cert or what SUBDOMAINS the cert covers

Hint:
Doing boring nerd stuff uncovers clues

For example if you wanted to see google's cert

```bash
nmap -p 443 --script ssl-cert google.com
```

Google's has a lot of wildcards to cover many subdomains. Other certs specifically call out which subdomains it covers

```bash
nmap -p 443 --script ssl-cert mleitz1.com
```

Don't have nmap? Sad.

Happy hunting!
- Leitz : https://x.com/mleitz1

This is the last hint. If you're still stuck, message or tweet me on x.com/mleitz1