The challenge description was:

This web challenge was really easy, actually it was so easy that I think it wasn't meant to be that way. When you visit the link you are greeted with the following screen:

Checking for SQL injection wasn't returning anything indicating it was what we had to do, so I checked the network traffic while trying to log in and got the following POST data:


Trying to log without any password wasn't possible but checked on the client side, so after trying it with curl in a terminal:

mrt$ curl '' --data 'username=admin&password='
    <title>Lawn Care Simulator 2015</title>
    <script src="//"></script>
    <script src=""></script>
    <link rel="stylesheet" href="">

We got our flag: flag{gr0wth__h4ck!nG!1!1!}