I realised it was SQL injection with MongoDB. I reasearched a bit and came across [this answer](https://security.stackexchange.com/a/83234). I tried the payload that was shown in the example: `'; return '' == '` as password and admin as username.


AND IT WORKED!


Flag: `flag{easier_than_picture_lab_at_least}`