Hi, thanks for the comment. The lab constantly changes but when I went through the course I noticed mostly Ubuntu and Red Hat for Linux.
For Windows, there is a huge mix. Anything from XP and Server 2003 all the way to Windows 10. Part of the objective is to identify vulnerable services so some of the common exploitable ones were SQL servers, FTP servers, and web applications.
You are allowed Metasploit only on one machine in the exam, but I actually didn’t even use it. The reasoning is that they want you to think about HOW the exploit is actually working rather than just clicking a button without understanding what is going on.
Also, a big part of the exam is identifying how to chain misconfigurations together to actually create a vulnerability flow of sorts. It’s not just active exploits, it could be weak passwords, permission errors, shared credentials…
By the way, you are still allowed to use Metasploit to generate shellcode and create meterpreter shells. The only thing out of bounds is using an active exploit and certain functions of the meterpreter (eg, getsystem is banned).
Hope this helps!