How can an attacker log in to the MinIO web interface to perform version detection?

An attacker can log in by sending a JSON payload to `http://127.0.0.1:9090/api/v1/login` with the default credentials `minioadmin:minioadmin`. Upon successful authentication, the server returns a 204 status and sets a `Cookie: token=xxxx` in the response header, which must be used for subsequent API calls.