The instruction already tells us that the website is vulnerable to SQL injection.
Checking the source code, we see what kind of request is made to the database.
username : admin” or “a”=”a
password : a”=”a
This will cause the website to make that kind of SQL request : SELECT * FROM users WHERE username="
admin" OR "a"="a" AND password="
a"="a". Since the statement "a" = "a" is always TRUE, therefore the WHERE condition will return a TRUE result and let us bypass the authentication.