Read my Writeup to Forge machine on
TL;DR
User: By using Upload an Image page we can use SSRF attack from the URL http://admin.Forge.htb, From this URL we found an HTML which contains credentials to FTP and another /upload page which support also ftp, Using http://admin.Forge.htb/upload?u=ftp://user:heightofsecurity123!@admin.Forge.htb:21/.ssh/id_rsa URL we get the user private key.
Root: By running sudo -l we found that we can run /opt/remote-manage.py as root, By reading the script we can see that we can triggr the python script to run pdb, Using pdb we can use exec to run python commands aas root, using exec("import os; os.system('cat /root.ssh/id_rsa')") we get the root private key.