Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

MinIO and S3-Compatible Storage

Default Ports: 9000 (API), 9001 (Console), 80/443 (S3 Gateways)

MinIO and S3-compatible storage services store objects inside buckets. In pentests, misconfigured buckets can expose backups, uploads, logs, CI artifacts, static files, model files, and secrets.

Connect

Using AWS CLI

AWS CLI works with S3-compatible endpoints by setting --endpoint-url.

aws --endpoint-url http://target.com:9000 s3 ls
aws --endpoint-url http://target.com:9000 s3 ls s3://bucket-name
aws --profile pentest --endpoint-url http://target.com:9000 s3 ls

Using MinIO Client

mc is the native MinIO client for bucket and object operations.

mc alias set target http://target.com:9000 ACCESS_KEY SECRET_KEY
mc alias set target http://target.com:9000
mc ls target
mc ls target/bucket-name

Using s3cmd

s3cmd is useful for older S3-compatible workflows.

s3cmd --host=target.com:9000 --host-bucket=target.com:9000 ls
s3cmd --host=target.com:9000 --host-bucket=target.com:9000 ls s3://bucket-name

Using HTTP Requests

Direct HTTP requests show S3-style XML errors and public object access.

curl -i http://target.com:9000/
curl -i http://target.com:9000/bucket-name/
curl -I http://target.com:9000/bucket-name/object.txt

Recon

Service Detection with Nmap

Scan MinIO API, console, and reverse proxy ports.

nmap -p 80,443,9000,9001,9443 -sV target.com
nmap -p 9000,9001 --script http-title,http-headers target.com
nmap -p 443,9000,9001,9443 --script ssl-cert,ssl-enum-ciphers target.com

Endpoint Discovery

S3-compatible APIs often return XML errors such as AccessDenied or NoSuchBucket.

curl -i http://target.com:9000/
curl -i http://target.com:9001/
curl -i https://storage.target.com/
curl -s http://target.com:9000/ | head

Bucket Name Discovery

Test likely bucket names based on organization, app, and environment.

for b in backup backups prod staging dev logs uploads assets; do
  aws --endpoint-url http://target.com:9000 s3 ls s3://$b
done

Console Fingerprinting

The console can expose MinIO version and login behavior.

curl -I http://target.com:9001/
httpx -u http://target.com:9001 -title -tech-detect -status-code

Enumeration

Anonymous Bucket Listing

Anonymous listing is the first storage misconfiguration to validate.

aws --no-sign-request --endpoint-url http://target.com:9000 s3 ls
aws --no-sign-request --endpoint-url http://target.com:9000 s3 ls s3://bucket-name
mc anonymous list http://target.com:9000/bucket-name

Object Enumeration

Object names often reveal backups, logs, credentials, and internal paths.

aws --no-sign-request --endpoint-url http://target.com:9000 s3 ls s3://bucket-name --recursive
mc ls --recursive target/bucket-name

Permission Enumeration

Check read, write, delete, and policy access separately.

aws --endpoint-url http://target.com:9000 s3 cp test.txt s3://bucket-name/pentest-test.txt
aws --endpoint-url http://target.com:9000 s3 rm s3://bucket-name/pentest-test.txt
mc anonymous get target/bucket-name
mc anonymous set download target/bucket-name

Policy Enumeration

Bucket policies show public or overly broad access.

aws --endpoint-url http://target.com:9000 s3api get-bucket-policy --bucket bucket-name
aws --endpoint-url http://target.com:9000 s3api get-bucket-acl --bucket bucket-name
mc anonymous get target/bucket-name

Versioning Enumeration

Versioning can expose deleted or older sensitive objects.

aws --endpoint-url http://target.com:9000 s3api get-bucket-versioning --bucket bucket-name
aws --endpoint-url http://target.com:9000 s3api list-object-versions --bucket bucket-name

Attack Vectors

Public Read Access

Public reads can expose large object collections.

aws --no-sign-request --endpoint-url http://target.com:9000 s3 ls s3://bucket-name --recursive
curl -I http://target.com:9000/bucket-name/object.txt

Public Write Access

Public writes can enable defacement, malware hosting, or data pollution.

echo "pentest" > pentest.txt
aws --no-sign-request --endpoint-url http://target.com:9000 s3 cp pentest.txt s3://bucket-name/pentest.txt

Leaked Access Keys

MinIO and S3 keys are often stored in configs and CI variables.

rg -n 'AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|MINIO_ROOT_USER|MINIO_ROOT_PASSWORD|endpoint-url|s3://' .
aws configure --profile leaked
aws --profile leaked --endpoint-url http://target.com:9000 s3 ls

Sensitive Object Exposure

Search object names and downloaded samples for obvious secrets.

aws --endpoint-url http://target.com:9000 s3 ls s3://bucket-name --recursive | grep -Ei 'backup|dump|secret|password|token|key|config|env|sql|zip|tar'
trufflehog filesystem downloaded-bucket/

Presigned URL Abuse

Presigned URLs may be overlong, leaked, or usable for unintended objects.

curl -I 'https://storage.target.com/bucket/object?X-Amz-Signature=...'
aws --endpoint-url http://target.com:9000 s3 presign s3://bucket-name/object.txt --expires-in 3600

Post-Exploitation

Bucket Impact Review

Summarize accessible buckets, object counts, and permissions.

aws --endpoint-url http://target.com:9000 s3 ls > buckets.txt
aws --endpoint-url http://target.com:9000 s3 ls s3://bucket-name --recursive > bucket-objects.txt
mc anonymous get target/bucket-name > bucket-policy.txt

Secret Review

Review small samples before broad downloads.

grep -Ei 'password|secret|token|apikey|private key|connection string' bucket-objects.txt
trufflehog filesystem downloaded-bucket/
gitleaks detect --source downloaded-bucket/

Backup Review

Backups and dumps commonly contain credentials and production data.

grep -Ei 'backup|dump|db|sql|mongo|postgres|mysql|redis|snapshot|archive' bucket-objects.txt

Useful Tools

Tool	Purpose
`aws`	S3 API testing
`mc`	MinIO-native testing
`s3cmd`	S3-compatible testing
`curl`	HTTP and object checks
`nmap`	Port scanning
`httpx`	Console fingerprinting
`trufflehog` / `gitleaks`	Secret scanning

Security Misconfigurations

Misconfiguration	Risk
Anonymous bucket listing	Object inventory disclosure
Public object read	Sensitive file exposure
Public object write	Data pollution or malware hosting
Leaked access keys	Bucket or tenant compromise
Broad bucket policy	Cross-user data exposure
Exposed MinIO console	Credential and admin attack surface
Long-lived presigned URLs	Uncontrolled object access
Backups stored unprotected	Secret and data leakage

Want to Practice These Techniques?

MinIO and S3-Compatible Storage

Connect​

Using AWS CLI​

Using MinIO Client​

Using s3cmd​

Using HTTP Requests​

Recon​

Service Detection with Nmap​

Endpoint Discovery​

Bucket Name Discovery​

Console Fingerprinting​

Enumeration​

Anonymous Bucket Listing​

Object Enumeration​

Permission Enumeration​

Policy Enumeration​

Versioning Enumeration​

Attack Vectors​

Public Read Access​

Public Write Access​

Leaked Access Keys​

Sensitive Object Exposure​

Presigned URL Abuse​

Post-Exploitation​

Bucket Impact Review​

Secret Review​

Backup Review​

Useful Tools​

Security Misconfigurations​