FYI, because I found it really hard to figure out, the exact 2021 OWASP Top 10 classification is: "A03:2021-Injection".
Firstly, let's check the machine for open ports (exchange ip with the actual ip address):
nmap -v -Pn ip
The important part of the result is:
PORT STATE SERVICE 80/tcp open http
We can gather more information:
nmap -sC -sV ip
Will output this:
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Login
Now, copy the ip address of the Hack the Box machine and open it with any web browser. A login page appears. The login is prone to SQL Injection, so we can try to login with a default credential like "admin". But we will add a single quotation mark and a # symbol, which will turn everything behind it into a comment (in our case the password part).
Then hit login and you are presented with the flag!