Cron
The 1st cronjob is being executed as the www-data account. This was also verified by PEAS
mysql@yummy:/var/tmp$ id
uid=110(mysql) gid=110(mysql) groups=110(mysql)
The current account, mysql, is has a complete control over the /data/scripts directory
This would mean that I can tamper the /data/scripts/app_backup.sh file to make a lateral movement to the www-data account