Go to java.uploadvulns.thm

Check page source to see what kind of files are accepted
It's in "client-side-filter.js"
Change the reverse shell script extension to that one
Start Burp and turn on the interceptor
Upload the script disguised as an image
In Burp, edit the post and fix the MIME type and file extension: text/x-php.
In "Actions" press "Do intercept response to this request" hit "Forward"
Intercept the request, delete the javascript
Forward the request
Run gobuster to find the upload directory
Start netcat listener nc -lvnp 1234
Navigate to the php reverse shell's location on the website
Go back to terminal, poke around
ls -l /var/www
Find the flag, which has rw access for everyone
Get the flag