An DSA implementation, which did not choose k (the random value when signing) at random. Instead it was dependend on randomness and the message allowing us to get k=0.
This results in the second part of the signature being s=h+xr mod q, where we know h=sha1(message), r,s as the signature and q as part of the public key.
This allows us to compute the private key x, which is the flag.