The instruction already tells us that the website is vulnerable to SQL injection.
Checking the source code, we see what kind of request is made to the database.

This will cause the website to make that kind of SQL request : SELECT * FROM users WHERE username="admin" OR "a"="a" AND password="a"="a". Since the statement "a" = "a" is always TRUE, therefore the WHERE condition will return a TRUE result and let us bypass the authentication.