Worng username/password, Try again

source code :

<?php
$username = $_GET['username'];
$password = $_GET['password']; 

$valuser = mb_substr(base64_encode(md5($_GET['auth'])),0,5); 
$valpass = md5($_GET['auth']);


    if ($username == $valuser && $password == $valpass) {
        echo 'great the flag is : // remove';
    } else {
            echo "Worng username/password, Try again";
    }

?>

Flag :


You dont have the flag yet