You must perform the simplest of XPath injection attacks.
Your objective is to get the query to return all usernames instead of just one.
PARAMETERS:
Injection Type - String value in condition
Sanitization - None
Output - All results, verbose errors, query shown