You found it. This is the forgotten internet-facing remote-access host the attacker used — surfaced from a public TLS certificate in the Certificate Transparency logs.
Power & access restored. Submit this flag in CTFd for Stage 1:
FrostByte{c3rt_tr4nsp4r3ncy_n3v3r_f0rg3ts}
Lesson: every public certificate you issue is logged
forever. Attackers enumerate crt.sh for exactly this kind of
forgotten asset. The full methodology is covered in
From PLC to the Cloud.