4 box enum

bash-4.2$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
guly:x:1000:1000:guly:/home/guly:/bin/bash

# user guly has 2 interesting files
bash-4.2$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php

bash-4.2$ cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

PEAS

╣ Operative system
Linux version 3.10.0-957.21.3.el7.x86_64
# no gcc

╣ Users with console
guly:x:1000:1000:guly:/home/guly:/bin/bash
root:x:0:0:root:/root:/bin/bash

-rw-r--r--. 1 root root 475 Oct 30  2018 /usr/lib/firewalld/services/vnc-server.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Virtual Network Computing Server (VNC)</short>
  <description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
  <port protocol="tcp" port="5900-5903"/>
</service>

-rw------- 1 guly guly 639 Jul  9  2019 /home/guly/.viminfo

╣ Mails (limit 50)
    71    4 -rw-rw----   1 guly     mail         2941 Jul  2  2019 /var/mail/guly
    71    4 -rw-rw----   1 guly     mail         2941 Jul  2  2019 /var/spool/mail/guly