1. XML jar remote host and hang for a remote code exec.
   1. The flag is hosted inside of a DMZ machine and the only machine it can talk to is the public facing server which run the java application which is vulnerable to xml the script
2. wNormal XML for a remote DTD exfiltrate the flag.
3. Local DTD file exfiltration.