www-data is not the intended entry method, although it is possible (just waaaay more effort, and different esc method). I don’t want to spoil, but there is a known exploit that works from www-data (so I’ve been told, haven’t done it myself). Take a look on exploit-db in the privilege escalation category and try a few things.