You need a reverse SSH tunnel, and a regular SSH tunnel, and you join them together in the middle.
We have 3 machines. Friend, Server, Mac.
From Friend, you connect to Server using SSH, setting up a tunnel in the reverse direction.
ssh -R 9999:localhost:5900 user@Server
This creates an ssh session from Friend, to Server. On Server it listens on port 9999 (on the localhost address), and forwards anything on that port, back to Friend on port 5900 (through the ssh tunnel, so the firewall doesn't block it).
On Friend, you now need to ensure there's a VNC server listening on port 5900 (this is the default port for VNC servers).
Then, from Mac, you do this,
ssh -L 9999:localhost:9999 user@Server
That tunnels everything on port 9999 at your end, to port 9999 on the localhost on Server. Since 9999 on Server is then forwarded to Friend, you've joined the tunnels together.
Now, you can open a VNC Client on Mac, and connect it to port 9999 (i.e. when it asks what to connect to, you connect to 127.0.0.1:9999).
The ssh daemon on Server needs to support port forwarding for this to work.
You can do this with only one tunnel (the reverse tunnel from Friend using a slightly different format), but that leaves the Friend computer at risk because it would allow anyone to VNC to Friend by connecting to the port on Server's public IP address. This way, only you can connect.