Or use Metasploit:
: Metasploitable 3 includes "flags" (like a CTF) hidden throughout the system to reward your progress. Conclusion metasploitable 3 windows walkthrough
If accessed, you can write a webshell if web server is present (unlikely on default Win Metasploitable 3). Or use Metasploit: : Metasploitable 3 includes "flags"
Use the persistence module to maintain access after a reboot . metasploitable 3 windows walkthrough
Expected open ports (partial list):
If you find Jenkins, navigate there. The credentials in Metasploitable 3 default to admin / admin (or no password).