Task 1,2: these two have nothing to do with attacks, they are just practices.

Task 3,4,5,6:

You need two VMs. VM1: attacker; VM2: victim.

Completing Task 3,4,5 will be considered as completing 0.5 lab. (Task 1,2 are recommended as they will help you understand XSS).
Completing Task 6 will be considered as completing the other 0.5 lab. (DOM based approach only)

Ignore Task 7 unless you really want to try it.